From f5e988e9953fb6585b28db9b01c040d496f41790 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 22 Dec 2023 09:31:53 -0800 Subject: [PATCH 1/7] Reviewed and updated Applocker articles --- ...ged-apps-to-existing-applocker-rule-set.md | 13 ++--- ...figure-the-application-identity-service.md | 38 +++++++------- ...-users-try-to-run-a-blocked-application.md | 27 +++++----- .../applocker/enforce-applocker-rules.md | 16 +++--- .../export-an-applocker-policy-from-a-gpo.md | 23 ++++----- ...port-an-applocker-policy-to-an-xml-file.md | 17 +++---- ...-applocker-policy-from-another-computer.md | 27 ++++------ .../import-an-applocker-policy-into-a-gpo.md | 27 +++++----- ...r-policies-by-using-set-applockerpolicy.md | 18 +++---- .../merge-applocker-policies-manually.md | 47 +++++------------ .../applocker/refresh-an-applocker-policy.md | 50 +++++++++---------- ...er-policy-by-using-test-applockerpolicy.md | 33 ++++++------ .../working-with-applocker-policies.md | 37 +++++++------- 13 files changed, 160 insertions(+), 213 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 137f9503c0..76569e20e6 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -1,18 +1,15 @@ --- title: Add rules for packaged apps to existing AppLocker rule-set -description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). +description: This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Add rules for packaged apps to existing AppLocker rule-set -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). -This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). +You can create packaged app rules by updating your existing AppLocker rule set from any supported computer. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center. -You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center. - -RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8. +RSAT comes with the Group Policy Management Console that allows you to edit the GPO or GPOs where your existing AppLocker policy is authored. RSAT has the necessary files required to author packaged app rules. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 628b5cd559..ab3f97c501 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -1,44 +1,42 @@ --- title: Configure the Application Identity service -description: This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. +description: This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 07/01/2021 +ms.date: 12/22/2023 --- # Configure the Application Identity service ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. -This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. +The Application Identity service determines and verifies the identity of an app. Stopping this service prevents AppLocker policies from being enforced. -The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. +> [!IMPORTANT] +> When using Group Policy, you must configure the Application Identity service to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. ->**Important:** When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. - -**To start the Application Identity service automatically using Group Policy** +## To start the Application Identity service automatically using Group Policy -1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). -2. Locate the GPO to edit, right-click the GPO, and then click **Edit**. -3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, click **System Services**. -4. In the details pane, double-click **Application Identity**. -5. In **Application Identity Properties**, configure the service to start automatically. +1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). +2. Locate the GPO to edit, right-click the GPO, and then select **Edit**. +3. In the console tree under **Computer Configuration\\Windows Settings\\Security Settings**, select **System Services**. +4. In the details pane, double-click **Application Identity**. +5. In **Application Identity Properties**, configure the service to start automatically. Membership in the local **Administrators** group, or equivalent, is the minimum access required to complete this procedure. -**To start the Application Identity service manually** +## To start the Application Identity service manually -1. Right-click the taskbar, and click **Task Manager**. -2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. -3. Verify that the status for the Application Identity service is **Running**. +1. Right-click the taskbar, and select **Task Manager**. +2. Select the **Services** tab, right-click **AppIDSvc**, and then select **Start Service**. +3. Verify that the status for the Application Identity service is **Running**. -Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead: +Starting with Windows 10, the Application Identity service is now a protected process. As a result, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead: - Open an elevated command prompt or PowerShell session and type: ```powershell - sc.exe config appidsvc start= auto + sc.exe config appidsvc start=auto ``` - Create a security template that configures appidsvc to be automatic start, and apply it using secedit.exe or LGPO.exe. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 4f50e071a2..64307b01ba 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -1,28 +1,25 @@ --- title: Display a custom URL message when users try to run a blocked app -description: This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. +description: This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/21/2023 --- # Display a custom URL message when users try to run a blocked app ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy blocks an app. -This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. - -With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed. +With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default AppLocker block message is displayed as-is. To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**To display a custom URL message when users try to run a blocked app** +## To display a custom URL message when users try to run a blocked app -1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). -2. Navigate to the Group Policy Object (GPO) that you want to edit. -3. Right-click the GPO, and then click **Edit**. -4. In the console tree under **Policies\\Administrative Templates\\Windows Components**, click **File Explorer**. -5. In the details pane, double-click **Set a support web page link**. -6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. -7. Click **OK** to apply the setting. +1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). +2. Navigate to the Group Policy Object (GPO) that you want to edit. +3. Right-click the GPO, and then select **Edit**. +4. In the console tree under **Policies\\Administrative Templates\\Windows Components**, select **File Explorer**. +5. In the details pane, double-click **Set a support web page link**. +6. Select **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. +7. Select **OK** to apply the setting. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md index 155e7ef8e9..757d76eb6c 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -1,24 +1,20 @@ --- title: Enforce AppLocker rules -description: This topic for IT professionals describes how to enforce application control rules by using AppLocker. +description: This article for IT professionals describes how to enforce application control rules by using AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/21/2023 --- # Enforce AppLocker rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals describes how to enforce application control rules by using AppLocker. +This article for IT professionals describes how to enforce application control rules by using AppLocker. After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only** on the rule collection. -When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. - -There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. +When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced and events are logged to the AppLocker logs. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but events generated from that evaluation are written to the AppLocker logs. To enforce AppLocker rules by configuring an AppLocker policy to **Enforce rules**, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ->**Caution:** AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). +> [!WARNING] +> AppLocker rules will be enforced immediately on the local device or when the Group Policy object (GPO) is updated by performing this procedure. If you want to see the effect of applying an AppLocker policy before setting the enforcement setting to **Enforce rules**, configure the policy to **Audit only**. For info about how to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)or [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 9e1872b4b8..b4150f2544 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -1,26 +1,23 @@ --- title: Export an AppLocker policy from a GPO -description: This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. +description: This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/21/2023 --- # Export an AppLocker policy from a GPO ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. -This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. - -Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device. +Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules on a test or reference device. To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**Export the policy from the GPO** +## Export the policy from the GPO -1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. -2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. -3. Right-click **AppLocker**, and then click **Export Policy**. -4. In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then click **Save**. -5. The **AppLocker** dialog box will notify you of how many rules were exported. Click **OK**. +1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. +2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, select **AppLocker**. +3. Right-click **AppLocker**, and then select **Export Policy**. +4. In the **Export Policy** dialog box, type a name for the exported policy (for example, the name of the GPO), select a location to save the policy, and then select **Save**. +5. The **AppLocker** dialog box notifies you of how many rules were exported. Select **OK**. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index 90737aee69..9612096a6e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -1,21 +1,18 @@ --- title: Export an AppLocker policy to an XML file -description: This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. +description: This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/21/2023 --- # Export an AppLocker policy to an XML file ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. +This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To export an AppLocker policy to an XML file** +## To export an AppLocker policy to an XML file -1. From the AppLocker console, right-click **AppLocker**, and then click **Export Policy**. -2. Browse to the location where you want to save the XML file. -3. In the **File name** box, type a file name for the XML file, and then click **Save**. +1. From the AppLocker console, right-click **AppLocker**, and then select **Export Policy**. +2. Browse to the location where you want to save the XML file. +3. In the **File name** box, type a file name for the XML file, and then select **Save**. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index b7e29c29a1..6998942c9b 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -1,30 +1,25 @@ --- title: Import an AppLocker policy from another computer -description: This topic for IT professionals describes how to import an AppLocker policy. +description: This article for IT professionals describes how to import an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 12/31/2017 +ms.date: 12/22/2023 --- # Import an AppLocker policy from another computer -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes how to import an AppLocker policy. -This topic for IT professionals describes how to import an AppLocker policy. - -Before completing this procedure, you should have exported an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). +Before completing this procedure, export an AppLocker policy. For more information, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md). Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -> **Caution:** Importing a policy will overwrite the existing policy on that computer. - -**To import an AppLocker policy** +> [!WARNING] +> Importing a policy will overwrite the existing local policy on that computer. -1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. +## To import an AppLocker policy -2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. - -3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. - -4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. +1. From the AppLocker console, right-click **AppLocker**, and then select **Import Policy**. +2. In the **Import Policy** dialog box, locate the file that you exported, and then select **Open**. +3. The **Import Policy** dialog box warns you that importing a policy overwrites the existing rules and enforcement settings. If acceptable, select **OK** to import and overwrite the policy. +4. The **AppLocker** dialog box notifies you of how many rules were overwritten and imported. Select **OK**. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index 40488c8f88..cf00b805b3 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -1,27 +1,26 @@ --- title: Import an AppLocker policy into a GPO -description: This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). +description: This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Import an AppLocker policy into a GPO ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). -This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). -AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). +You can create AppLocker policies as local security policies or as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). + +> [!IMPORTANT] +> Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md). ->**Important:** Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md). - To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**To import an AppLocker policy into a GPO** +## To import an AppLocker policy into a GPO -1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. -2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, click **AppLocker**. -3. Right-click **AppLocker**, and then click **Import Policy**. -4. In the **Import Policy** dialog box, locate the XML policy file, and click **Open**. -5. The **AppLocker** dialog box will notify you of how many rules were imported. Click **OK**. +1. In the Group Policy Management Console (GPMC), open the GPO that you want to edit. +2. In the console tree under **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Application Control Policies**, select **AppLocker**. +3. Right-click **AppLocker**, and then select **Import Policy**. +4. In the **Import Policy** dialog box, locate the XML policy file, and select **Open**. +5. The **AppLocker** dialog box notifies you of how many rules were imported. Select **OK**. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index a51c56cde6..2489e8b738 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -1,19 +1,16 @@ --- title: Merge AppLocker policies by using Set-ApplockerPolicy -description: This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. +description: This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Merge AppLocker policies by using Set-ApplockerPolicy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. -This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. - -The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter isn't specified, then the new policy will overwrite the existing policy. +The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local policy is used. When the Merge parameter is used, rules in the specified AppLocker policy are merged with the AppLocker rules in the target GPO specified in the LDAP path. Merging policies removes rules with duplicate rule IDs, and the enforcement mode setting is chosen as described in [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#enforcement-modes). If the Merge parameter isn't specified, then the new policy overwrites the existing policy. For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy). @@ -21,9 +18,10 @@ For info about using Windows PowerShell for AppLocker, including how to import t You can also manually merge AppLocker policies. For information on the procedure to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). -**To merge a local AppLocker policy with another AppLocker policy by using LDAP paths** -1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). -2. At the command prompt, type **C:\\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***<string>***"** **-Merge** where *<string>* specifies the LDAP path of the unique GPO. +## To merge a local AppLocker policy with another AppLocker policy by using LDAP paths + +1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). +2. At the command prompt, type **C:\\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP: //***<string>***"** **-Merge** where *<string>* specifies the LDAP path of the unique GPO. ## Example diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 7ec3f23e57..a17f0dbc2f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -1,48 +1,27 @@ --- title: Merge AppLocker policies manually -description: This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). +description: This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Merge AppLocker policies manually ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). -This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). +If you need to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. For info about merging policies by using Windows PowerShell, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). -If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). - -The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table: - -| Rule collection | RuleCollection Type element | -| - | - | -| Executable rules| Exe| -| Windows Installer rules| Msi| -| Script rules | Script| -| DLL rules | Dll| -| Packaged apps and packaged app installers|Appx| - -Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table: - -| XML enforcement mode |Enforcement mode in Group Policy | -| - | - | -| NotConfigured | Not configured (rules are enforced)| -| AuditOnly | Audit only| -| Enabled | Enforce rules| - -Each of the three condition types uses specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. +The AppLocker policy is stored in XML format, and an exported policy can be edited with any text or XML editor. To export an AppLocker policy, see [Export an AppLocker policy to an XML file](/windows/security/application-security/application-control/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file). Before making changes to an AppLocker policy manually, review [Working with AppLocker rules](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules). Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To merge two or more AppLocker policies** +## To merge two or more AppLocker policies -1. Open an XML policy file in a text editor or XML editor, such as Notepad. -2. Select the rule collection where you want to copy rules from. -3. Select the rules that you want to add to another policy file, and then copy the text. -4. Open the policy where you want to add the copied rules. -5. Select and expand the rule collection where you want to add the rules. -6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. -7. Upload the policy to a reference computer to ensure that it's functioning properly within the GPO. +1. Open an XML policy file in a text editor or XML editor, such as Notepad. +2. Select the rule collection where you want to copy rules from. +3. Select the rules that you want to add to another policy file, and then copy the text. +4. Open the policy where you want to add the copied rules. +5. Select and expand the rule collection where you want to add the rules. +6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. +7. Upload the policy to a reference computer to ensure that it's functioning properly within the GPO. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index d4039c3443..4dcd7f89ab 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -1,53 +1,49 @@ --- title: Refresh an AppLocker policy -description: This topic for IT professionals describes the steps to force an update for an AppLocker policy. +description: This article for IT professionals describes the steps to force an update for an AppLocker policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Refresh an AppLocker policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to force an update for an AppLocker policy. -This topic for IT professionals describes the steps to force an update for an AppLocker policy. +If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy takes effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. -If you update the rule collection on a local computer by using the Local Security Policy snap-in, the policy will take effect immediately. If Group Policy is used to distribute the AppLocker policy and you want to immediately implement the policy, you must manually refresh the policy. The Group Policy refresh might take several minutes, depending upon the number of policies within the Group Policy Object (GPO) and the number of target computers. - -To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) - -[Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). +To use Group Policy to distribute the AppLocker policy change, you need to retrieve the deployed AppLocker policy first. To prepare for the update and subsequent refresh, see [Edit an AppLocker policy](edit-an-applocker-policy.md) and [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. -**To manually refresh the AppLocker policy by using Group Policy** +## To manually refresh the AppLocker policy by using Group Policy -1. From a command prompt, type **gpupdate /force**, and then press ENTER. -2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." +1. From a command prompt, type **gpupdate /force**, and then press ENTER. +2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." -To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information -about creating a new rule for an existing policy, see: -- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) -- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) -- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) +For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: + +- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) +- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) +- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To refresh the AppLocker policy on the local computer** +## To refresh the AppLocker policy on the local computer -- Update the rule collection by using the Local Security Policy console with one of the following procedures: +- Update the rule collection by using the Local Security Policy console with one of the following procedures: - - [Edit AppLocker rules](edit-applocker-rules.md) - - [Delete an AppLocker rule](delete-an-applocker-rule.md) - - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) + - [Edit AppLocker rules](edit-applocker-rules.md) + - [Delete an AppLocker rule](delete-an-applocker-rule.md) + - [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) When finished, the policy is in effect. To make the same change on another device, you can use any of the following methods: -- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. +- From the device where you made the change, export the AppLocker policy and then import into onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. - >**Caution:** When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. - -- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +> [!WARNING] +> When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied. + +- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index bd085cda47..180145ef77 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -1,40 +1,41 @@ --- title: Test an AppLocker policy by using Test-AppLockerPolicy -description: This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. +description: This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Test an AppLocker policy by using Test-AppLockerPolicy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. -This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. - -The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies. Perform the following steps on any computer where the AppLocker policies are applied. +The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collections block apps run on the local computer. Perform the following steps on any computer where the AppLocker policies are applied. Any user account can be used to complete this procedure. -**To test an AppLocker policy by using Test-AppLockerPolicy** +## To test an AppLocker policy by using Test-AppLockerPolicy -1. Export the effective AppLocker policy. To do this, you must use the **Get-AppLockerPolicy** Windows PowerShell cmdlet. +1. Export the effective AppLocker policy using the **Get-AppLockerPolicy** Windows PowerShell cmdlet. - 1. Open a Windows PowerShell command prompt window as an administrator. - 2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file: + 1. Open a Windows PowerShell command prompt window as an administrator. + 2. Use the **Get-AppLockerPolicy** cmdlet to export the effective AppLocker policy to an XML file: - `Get-AppLockerPolicy -Effective -XML > ` + ```powershell + Get-AppLockerPolicy -Effective -XML > + ``` -2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed: +2. Use the **Get-ChildItem** cmdlet to specify the directory that you want to test, specify the **Test-AppLockerPolicy** cmdlet with the XML file from the previous step to test the policy, and use the **Export-CSV** cmdlet to export the results to a file to be analyzed: - `Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy -User -Filter | Export-CSV ` + ```powershell + Get-ChildItem -Filter -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy -User -Filter | Export-CSV + ``` The following shows example input for **Test-AppLockerPolicy**: -```syntax +```powershell PS C:\ Get-AppLockerPolicy -Effective -XML > C:\Effective.xml PS C:\ Get-ChildItem 'C:\Program Files\Microsoft Office\' -filter *.exe -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy C:\Effective.xml -User contoso\zwie -Filter Denied,DeniedByDefault | Export-CSV C:\BlockedFiles.csv ``` -In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that will be blocked for the user under the policy. +In the example, the effective AppLocker policy is exported to the file C:\\Effective.xml. The **Get-ChildItem** cmdlet is used to recursively gather path names for the .exe files in C:\\Program Files\\Microsoft Office\\. The XMLPolicy parameter specifies that the C:\\Effective.xml file is an XML AppLocker policy file. By specifying the User parameter, you can test the rules for specific users, and the **Export-CSV** cmdlet allows the results to be exported to a comma-separated file. In the example, `-FilterDenied,DeniedByDefault` displays only those files that blocked for the user under the policy. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md index 0f287537b8..189d8f1654 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -1,32 +1,29 @@ --- title: Working with AppLocker policies -description: This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. +description: This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/21/2023 --- # Working with AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. +This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. ## In this section -| Topic | Description | +| Article | Description | | - | - | -| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| -| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.| -| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| -| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| -| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| -| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing.| -| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This topic for IT professionals describes how to import an AppLocker policy.| -| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO).| -| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).| -| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.| -| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO).| -| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This topic for IT professionals describes the steps to force an update for an AppLocker policy.| -| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.| +| [Configure the Application Identity service](configure-the-application-identity-service.md) | This article for IT professionals shows how to configure the Application Identity service to start automatically or manually. | +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This article for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. | +| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting. | +| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This article for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. | +| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This article for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. | +| [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) | This article for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. | +| [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) | This article for IT professionals describes how to import an AppLocker policy. | +| [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) | This article for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). | +| [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md) | This article for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). | +| [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) | This article for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. | +| [Merge AppLocker policies manually](merge-applocker-policies-manually.md) | This article for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). | +| [Refresh an AppLocker policy](refresh-an-applocker-policy.md) | This article for IT professionals describes the steps to force an update for an AppLocker policy. | +| [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md) | This article for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer.| From 161ca742d9215fc9d07bf11c6d3771a66af8a7ce Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 22 Dec 2023 14:20:35 -0800 Subject: [PATCH 2/7] Reviewed AppLocker articles for accuracy and resolved Acrolinx and readability issues --- ...blishing.redirection.windows-security.json | 10 + .../TOC.yml | 4 - .../applocker-policies-design-guide.md | 31 ++- ...cations-deployed-to-each-business-group.md | 60 +++--- ...p-policy-structure-and-rule-enforcement.md | 34 ++-- ...ine-your-application-control-objectives.md | 41 ---- ...tructure-and-applocker-rule-enforcement.md | 26 ++- .../document-your-application-list.md | 59 +++--- .../document-your-applocker-rules.md | 29 +-- .../plan-for-applocker-policy-management.md | 121 ++++++----- .../select-types-of-rules-to-create.md | 67 +++---- ...derstand-applocker-enforcement-settings.md | 26 --- ...stand-applocker-policy-design-decisions.md | 189 ++++++++---------- ...ent-setting-inheritance-in-group-policy.md | 36 ++-- 14 files changed, 310 insertions(+), 423 deletions(-) delete mode 100644 windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md delete mode 100644 windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 6821d427e5..d666189bcf 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -4660,6 +4660,11 @@ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application", @@ -4830,6 +4835,11 @@ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#enforcement-modes", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions", diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index ba374f5f74..10c18ae319 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -211,8 +211,6 @@ items: - name: Understand AppLocker policy design decisions href: applocker\understand-applocker-policy-design-decisions.md - - name: Determine your application control objectives - href: applocker\determine-your-application-control-objectives.md - name: Create a list of apps deployed to each business group href: applocker\create-list-of-applications-deployed-to-each-business-group.md items: @@ -226,8 +224,6 @@ - name: Determine the Group Policy structure and rule enforcement href: applocker\determine-group-policy-structure-and-rule-enforcement.md items: - - name: Understand AppLocker enforcement settings - href: applocker\understand-applocker-enforcement-settings.md - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md - name: Document the Group Policy structure and AppLocker rule enforcement diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md index 56a059df6a..e5bcbe1663 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -1,33 +1,28 @@ --- title: AppLocker design guide -description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. +description: This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # AppLocker design guide -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. -This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. +This guide provides important designing and planning information for deploying application control policies by using AppLocker. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group. -This guide provides important designing and planning information for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group. +To understand if AppLocker is the correct application control solution for your organization, see [Windows Defender Application Control and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). -This guide doesn't cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md). - -To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). ## In this section -| Topic | Description | -| - | - | -| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. | -| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | -| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | -| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. | -| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you're planning to deploy AppLocker rules. | -| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. | +| Article | Description | +| --- | --- | +| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. | +| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | +| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | +| [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. | +| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. | +| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. | - After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 5e8d7b6735..de0b5c522f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -1,66 +1,62 @@ --- title: Create a list of apps deployed to each business group -description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. +description: This article describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- -# Create a list of apps deployed to each business group +# Gathering app usage requirements ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. +This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. ## Determining app usage For each business group, determine the following information: -- The complete list of apps used, including different versions of an app -- The full installation path of the app -- The publisher and signed status of each app -- The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. -- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who can't provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. +- The complete list of apps used, including different versions of an app. +- The full installation path of the app. +- The publisher and signed status of each app. +- The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. ### How to perform the app usage assessment -You might already have a method in place to understand app usage for each business group. You'll need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate -Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. +You might already have a method in place to understand app usage for each business group. You need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. -**Application inventory methods** +#### Application inventory methods Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This requirement might mean more work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can evaluate the possible effects of enforcement on computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. > [!TIP] > If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. -You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console. - -The following topics describe how to perform each method: -- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) -- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) +You can create an inventory of Packaged apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console. + +The following articles describe how to perform each method: + +- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) +- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) ### Prerequisites to completing the inventory -Identify the business group and each organizational unit (OU) within that group to which you'll apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: +Identify the business group and each organizational unit (OU) within that group for application control policies. In addition, you should identify whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following articles: -- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) -- [Determine your application control objectives](determine-your-application-control-objectives.md) +- [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) +- [Determine your application control objectives](determine-your-application-control-objectives.md) ## Next steps -Identify and develop the list of apps. Record the name of the app, whether it's signed or not as indicated by the publisher's name, and whether or not it's a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md). +Identify and develop the list of apps. Record the name of the app, its publisher, and how critical the application is. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md). -After you've created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: +After you create the list of apps, the next step is to identify the rules to create so these apps can run. This information can be added to the table under columns labeled: -- Use default rule or define new rule condition -- Allow or deny -- GPO name +- Use default rule or define new rule condition +- Allow or deny +- GPO name -For guidance, see the following topics: +For guidance, see the following articles: -- [Select the types of rules to create](select-types-of-rules-to-create.md) -- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +- [Select the types of rules to create](select-types-of-rules-to-create.md) +- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 8c8842e5ae..a8e5878454 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -1,31 +1,29 @@ --- title: Determine the Group Policy structure and rule enforcement -description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules. +description: This overview article describes the process to follow when you're planning to deploy AppLocker rules. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Determine the Group Policy structure and rule enforcement ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This overview topic describes the process to follow when you're planning to deploy AppLocker rules. +This overview article describes the process to follow when you're planning to deploy AppLocker rules. ## In this section -| Topic | Description | -| - | - | -| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. | -| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| -| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. | - -When you're determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following points: +| Article | Description | +| --- | --- | +| [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This article describes the AppLocker enforcement settings for rule collections. | +| [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| +| [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning article describes what you need to investigate, determine, and document for your policy plan when you use AppLocker. | -- Whether you're creating new GPOs or using existing GPOs -- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO -- GPO naming conventions -- GPO size limits +When determining how many Group Policy Objects (GPOs) to create for managing AppLocker policy in your organization, you should consider the following points: ->**Note:** There is no default limit on the number of AppLocker rules that you can create. However, in Windows Server 2008 R2, GPOs have a 2 MB size limit for performance. In subsequent versions, that limit is raised to 100 MB. +- Whether you're creating new GPOs or using existing GPOs +- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO +- GPO naming conventions +- GPO size limits + +> [!NOTE] +> There is no fixed limit on the number of AppLocker rules that you can create. However, GPOs have a 100 MB size limit. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md deleted file mode 100644 index b52c32d46b..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Determine your application control objectives -description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# Determine your application control objectives - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. - -AppLocker is effective for organizations with app restriction requirements whose environments have a simple topography and whose application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is a detailed level of control on the PCs they manage for a relatively small number of apps. - -There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. - -Use the following table to develop your own objectives and determine which application control feature best addresses those objectives. - -|Application control function|SRP|AppLocker| -|--- |--- |--- | -|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).| -|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

AppLocker permits customization of error messages to direct users to a Web page for help.| -|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.| -|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.

SRP can also be configured in the "allowlist mode" such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
  • Executables
  • DLLs
  • Scripts
  • Windows Installers

    SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • DLLs
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| -|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • DLLs (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)| -|Rule types|SRP supports four types of rules:
  • Hash
  • Path
  • Signature

    Internet zone|AppLocker supports three types of rules:
  • Hash
  • Path
  • Publisher| -|Editing the hash value|SRP allows you to select a file to hash.|AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.| -|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

    SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| -|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.| -|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as "Allow everything from Windows except for Regedit.exe".| -|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.| -|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.| - -For more general info, see AppLocker. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 5206548f80..294689bc28 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -1,33 +1,30 @@ --- title: Document Group Policy structure & AppLocker rule enforcement -description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. +description: This planning article describes what you need to include in your plan when you use AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Document the Group Policy structure and AppLocker rule enforcement ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. +This planning article describes what you should include in your plan when you use AppLocker. ## Record your findings To complete this AppLocker planning document, you should first complete the following steps: -1. [Determine your application control objectives](determine-your-application-control-objectives.md) -2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) -3. [Select the types of rules to create](select-types-of-rules-to-create.md) -4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +1. [Determine your application control objectives](determine-your-application-control-objectives.md) +2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +3. [Select the types of rules to create](select-types-of-rules-to-create.md) +4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. +After you determine how to structure your Group Policy Objects (GPOs) for AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decide to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. |Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name| -|--- |--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow|| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules| @@ -37,5 +34,6 @@ The following table includes the sample data that was collected when you determi ## Next steps -After you've determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: -- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) +After you determine the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: + +- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md index e56f851d85..f42d12d410 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-application-list.md @@ -1,25 +1,22 @@ --- title: Document your app list -description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. +description: This planning article describes the app information that you should document when you create a list of apps for AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Document your app list ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. +This planning article describes the app information that you should document when you create a list of apps for AppLocker policies. ## Record your findings -**Apps** +### Apps -Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*. +Record the name of the app, its publisher information (if digitally signed), and its importance to the business. -**Installation path** +### Installation path Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices. @@ -35,36 +32,36 @@ The following table provides an example of how to list applications for each bus ||||Windows files|C:\Windows| >[!NOTE] ->AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. - -Event processing +>AppLocker only supports publisher rules for Packaged apps. Therefore, collecting the installation path information for Packaged apps is not necessary. -As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: +## Event processing -- Will event forwarding be implemented for AppLocker events? -- What is the location of the AppLocker event collection? -- Should an event archival policy be implemented? -- Will the events be analyzed and how often? -- Should a security policy be in place for event collection? +As you create your list of apps, you need to consider how to manage the events generated by user access. The following list is an example of what to consider and what to record: -**Policy maintenance** +- Do you want to forward AppLocker events for analysis? +- What is the location of the AppLocker event collection? +- Should an event archival policy be implemented? +- Who analyzes the AppLocker events and how often? +- Should a security policy be in place for event collection? -As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record: +## Policy maintenance -- How will rules be updated for emergency app access and permanent access? -- How will apps be removed? -- How many older versions of the same app will be maintained? -- How will new apps be introduced? +As you create your list of apps, you need to consider how to manage and maintain the policies that you create. The following list is an example of what to consider and what to record: + +- How are rules updated for emergency app access and permanent access? +- How are apps removed? +- How many older versions of the same app are maintained? +- How are new apps introduced? ## Next steps -After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: +After you create the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: -- Use default rule or define new rule condition -- Allow or deny -- GPO name +- Use default rule or define new rule condition +- Allow or deny +- GPO name -To identify the rule collections, see the following topics: +To identify the rule collections, see the following articles: -- [Select the types of rules to create](select-types-of-rules-to-create.md) -- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +- [Select the types of rules to create](select-types-of-rules-to-create.md) +- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md index 5e123e0052..ce02f4d772 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -3,43 +3,36 @@ title: Document your AppLocker rules description: Learn how to document your AppLocker rules and associate rule conditions with files, permissions, rule source, and implementation. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Document your AppLocker rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. - -## Record your findings - To complete this AppLocker planning document, you should first complete the following steps: -1. [Determine your application control objectives](determine-your-application-control-objectives.md) -2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) -3. [Select the types of rules to create](select-types-of-rules-to-create.md) +1. [Determine your application control objectives](determine-your-application-control-objectives.md) +2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +3. [Select the types of rules to create](select-types-of-rules-to-create.md) Document the following items for each business group or organizational unit: -- Whether your organization will use the built-in default AppLocker rules to allow system files to run. -- The types of rule conditions that you will use to create rules, stated in order of preference. +- Whether your organization uses the built-in default AppLocker rules to allow system files to run. +- The types of rule conditions that you use to create rules, stated in order of preference. The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). |Business group|Organizational unit|Implement AppLocker?|Applications|Installation path|Use default rule or define new rule condition|Allow or deny| -|--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

    |File is signed; create a publisher condition|| ||||Windows files|C:\Windows|Use the default rule for the Windows path|| - + ## Next steps For each rule, determine whether to use the allow or deny option, and then complete the following tasks: -- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) +- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index c6f4be0bc8..d82b85d412 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -1,50 +1,47 @@ --- title: Plan for AppLocker policy management -description: This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +description: This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Plan for AppLocker policy management ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +This article describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ## Policy management -Before you begin the deployment process, consider how the AppLocker rules will be managed. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. +Before you begin the deployment process, consider to manage your AppLocker rules over time. Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. ### Application and user support policy Developing a process for managing AppLocker rules helps assure that AppLocker continues to effectively control how applications are allowed to run in your organization. Considerations include: -- What type of end-user support is provided for blocked applications? -- How are new rules added to the policy? -- How are existing rules updated? -- Are events forwarded for review? +- What type of end-user support is provided for blocked applications? +- How are new rules added to the policy? +- How are existing rules updated? +- Are events forwarded for review? -**Help desk support** +#### Help desk support If your organization has an established help desk support department in place, consider the following points when deploying AppLocker policies: -- What documentation does your support department require for new policy deployments? -- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? -- Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those resources who maintain the AppLocker rules? +- What documentation does your support department require for new policy deployments? +- What are the critical processes in each business group affected by application control policies and how could they affect your support department's workload? +- Who are the contacts in the support department? +- How are application control issues resolved for the end user? -**End-user support** +#### End-user support -Because AppLocker is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include: +Because AppLocker blocks unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include: -- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? -- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? +- Do you want to use an intranet site as a frontline of support for users who encounter blocked apps? +- How do you want to support exceptions to the policy? -**Using an intranet site** +#### Using an intranet site -AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you don't display a custom URL for the message when an app is blocked, the default URL is used. +AppLocker can be configured to display the default block message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you don't display a custom URL for the message when an app is blocked, the default URL is used. The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. @@ -52,51 +49,51 @@ The following image shows an example of the error message for a blocked app. You For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md). -**AppLocker event management** +#### AppLocker event management -Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which was the file that tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The +Each time that a process tries to run, AppLocker creates an event in the AppLocker event log. The event includes information about the file that tried to run, the user who initiated it, and the AppLocker rule GUID that blocked or allowed the file. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: -1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). -2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js). -3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx). +1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). +2. **MSI and Script**. Contains events for all files affected by the Windows Installer and script rule collections (.msi, .msp, .ps1, .bat, .cmd, .vbs, and .js). +3. **Packaged app-Deployment** or **Packaged app-Execution**, contains events for all Universal Windows apps affected by the packaged app and packed app installer rule collection (.appx). -Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)). +Collecting these events in a central location can help you maintain your AppLocker policy and troubleshoot rule configuration problems. ### Policy maintenance -As new apps are deployed or existing apps are updated by the software publisher, you'll need to make revisions to your rule collections to ensure that the policy is current. +As apps are deployed, updated, or retired, you need to keep your policy rules up-to-date. You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more information, see [Advanced Group Policy Management Overview](/microsoft-desktop-optimization-pack/agpm/). > [!IMPORTANT] > You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. -**New version of a supported app** +#### New version of a supported app -When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app hasn't altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version-the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. +When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must check, however, for file names that change or new files added. If so, then you must modify the existing rules or create new rules. You might need to update publisher-based rules for files whose digital signature changes. -To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. +To determine whether a file changed during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. -For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. +For files that are allowed or denied with file hash conditions, you must retrieve the new file hash and ensure your rules include that new hash. -For files with path conditions, you should verify that the installation path hasn't changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app +For files with path conditions, you should verify that the installation path is the same. If the path changed, you need to add a rule for the new path before installing the new version of the app. -**Recently deployed app** +#### Recently deployed app To support a new app, you must add one or more rules to the existing AppLocker policy. -**App is no longer supported** +#### App is no longer supported -If your organization has determined that it will no longer support an application that has AppLocker rules associated with it, the easiest way to prevent users from running the app is to delete these rules. +If your organization no longer supports an application that has AppLocker rules associated with it, you can delete the rules to block the app. -**App is blocked but should be allowed** +#### App is blocked but should be allowed A file could be blocked for three reasons: -- The most common reason is that no rule exists to allow the app to run. -- There may be an existing rule that was created for the file that is too restrictive. -- A deny rule, which can't be overridden, is explicitly blocking the file. +- The most common reason is that no rule exists to allow the app to run. +- There might be an existing rule that was created for the file that is too restrictive. +- A deny rule, which can't be overridden, is explicitly blocking the file. Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791793(v=ws.10)). @@ -104,30 +101,30 @@ Before editing the rule collection, first determine what rule is preventing the To complete this AppLocker planning document, you should first complete the following steps: -1. [Determine your application control objectives](determine-your-application-control-objectives.md) -2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) -3. [Select the types of rules to create](select-types-of-rules-to-create.md) -4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) +1. [Determine your application control objectives](determine-your-application-control-objectives.md) +2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +3. [Select the types of rules to create](select-types-of-rules-to-create.md) +4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) The three key areas to determine for AppLocker policy management are: -1. Support policy +1. Support policy - Document the process that you'll use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + Document your process for handling calls from users who tried to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. -2. Event processing +2. Event processing - Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. + Document where events are collected, how often they're archived, and how the events are processed for analysis. -3. Policy maintenance +3. Policy maintenance - Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. + Detail your policy maintenance and lifecycle plans. The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. |Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy| -|--- |--- |--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help| @@ -137,22 +134,24 @@ The following table contains the added sample data that was collected when deter The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. -**Event processing policy** +### Event processing policy -One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This setting will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. +One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This enforcement mode writes events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps are identified, you can begin to develop policies regarding the processing and access to AppLocker events. The following table is an example of what to consider and record. |Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy| -|--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | |Bank Tellers|Forwarded to: AppLocker Event Repository on srvBT093|Standard|None|Standard| |Human Resources|DO NOT FORWARD. srvHR004|60 months|Yes, summary reports monthly to managers|Standard| -Policy maintenance policy -When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. +### Policy maintenance policy + +Begin documenting how you intend to update your application control policies. + The following table is an example of what to consider and record. |Business group|Rule update policy|Application decommission policy|Application version policy|Application deployment policy| -|--- |--- |--- |--- |--- | -|Bank Tellers|Planned: Monthly through business office triage

    Emergency: Request through help desk|Through business office triage

    30-day notice required|General policy: Keep past versions for 12 months

    List policies for each application|Coordinated through business office

    30-day notice required| -|Human Resources|Planned: Monthly through HR triage

    Emergency: Request through help desk|Through HR triage

    30-day notice required|General policy: Keep past versions for 60 months

    List policies for each application|Coordinated through HR

    30-day notice required| +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage

    Emergency: Request through help desk | Through business office triage

    30-day notice required|General policy: Keep past versions for 12 months

    List policies for each application|Coordinated through business office

    30-day notice required | +| Human Resources | Planned: Monthly through HR triage

    Emergency: Request through help desk|Through HR triage

    30-day notice required | General policy: Keep past versions for 60 months

    List policies for each application | Coordinated through HR

    30-day notice required | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 15f51ed1d5..6c5dde6cc8 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -1,69 +1,66 @@ --- title: Select the types of rules to create -description: This topic lists resources you can use when selecting your application control policy rules by using AppLocker. +description: This article lists resources you can use when selecting your application control policy rules by using AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Select the types of rules to create ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic lists resources you can use when selecting your application control policy rules by using AppLocker. +This article lists resources to use when creating your application control policy rules by using AppLocker. When determining what types of rules to create for each of your groups, you should also determine what enforcement setting to use for each group. Different rule types are more applicable for some apps, depending on the way that the applications are deployed in a specific business group. -The following topics provide additional information about AppLocker rules that can help you decide what rules to use for your applications: +The following articles provide additional information about AppLocker rules that can help you decide what rules to use for your applications: -- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) -- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) -- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) -- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) -- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) -- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) +- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) +- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) +- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) +- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) +- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) -### Select the rule collection +## Select the rule collection -The rules you create will be in one of the following rule collections: +The rule collections you use depend on the types of files you want to control, including: -- Executable files: .exe and .com -- Windows Installer files: .msi, .msp, and .mst -- Scripts: .ps1, .bat, .cmd, .vbs, and .js -- Packaged apps and packaged app installers: .appx -- DLLs: .dll and .ocx +- Executable files: .exe and .com +- Windows Installer files: .msi, .msp, and .mst +- Scripts: .ps1, .bat, .cmd, .vbs, and .js +- Packaged apps and packaged app installers: .appx +- DLLs: .dll and .ocx -By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection isn't enabled by default. +By default, the rules allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection isn't enabled by default. In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well. -### Determine the rule condition +## Determine the rule condition A rule condition is criteria upon which an AppLocker rule is based and can only be one of the rule conditions in the following table. | Rule condition | Usage scenario | Resources | -| - | - | - | -| Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -| Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | -| File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). | - -In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this rule will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. +| --- | --- | --- | +| Publisher | To use a publisher condition, the software publisher must digitally sign their files, or you must do so by using an organizational certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. | For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). +| Path | Any file can be assigned this rule condition. However, because path rules specify locations within the file system, the rule applies to any subdirectory (unless explicitly exempted). | For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | +| File hash | Any file can be assigned this rule condition. However, the rule must be updated each time a new version of the file is released because the hash value changes.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). | -### Determine how to allow system files to run +In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you're first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it's denoted with "(Default rule)" in its name as it appears in the rule collection. +## Determine how to allow system files to run -You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This rule will permit access to these files whenever updates are applied and the files change. If you require more application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: +Because AppLocker rules build a list of allowed apps, rules must be created to allow all Windows files to run. You can generate AppLocker's default rules for each rule collection to ensure system apps run. You can use these default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you're first testing AppLocker rules so that the system files in the Windows folders run. When a default rule is created, its name starts with "(Default rule)" in the rule collection. -- Traverse Folder/Execute File -- Create Files/Write Data -- Create Folders/Append Data +You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This rule permits access to these files whenever updates are applied and the files change. If you require more application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + +- Traverse Folder/Execute File +- Create Files/Write Data +- Create Folders/Append Data These permissions settings are applied to this folder for application compatibility. However, because any user can create files in this location, allowing apps to be run from this location might conflict with your organization's security policy. ## Next steps -After you've selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). +After you select the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). After recording your findings for the AppLocker rules to create, you'll need to consider how to enforce the rules. For information about how to do this enforcement, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md deleted file mode 100644 index db76a5a1bb..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Understand AppLocker enforcement settings -description: This topic describes the AppLocker enforcement settings for rule collections. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# Understand AppLocker enforcement settings - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the AppLocker enforcement settings for rule collections. - -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. - -| Enforcement setting | Description | -| - | - | -| Not configured | By default, enforcement isn't configured in a rule collection. If rules are present in the corresponding rule collection, they're enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| -| Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| -| Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.| - -For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md). - -When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index d9f21105f1..13d2116bc1 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -3,177 +3,156 @@ title: Understand AppLocker policy design decisions description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 12/22/2023 --- # Understand AppLocker policy design decisions ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. -This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. - -When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance. +When you begin the design and planning process, you should consider the effect of your design choices. The resulting decisions affect your policy deployment scheme and subsequent application control policy maintenance. You should consider using AppLocker as part of your organization's application control policies if all the following are true: -- You have deployed or plan to deploy the supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). -- You need improved control over the access to your organization's applications and the data your users access. -- The number of applications in your organization is known and manageable. -- You have resources to test policies against the organization's requirements. -- You have resources to involve Help Desk or to build a self-help process for end-user application access issues. -- The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. +- You're running supported versions of Windows in your organization. For specific operating system version requirements, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). +- You need improved control over the access to your organization's applications. +- The number of applications in your organization is known and manageable. +- You have resources to test policies against the organization's requirements. +- You have resources to involve Help Desk or to build a self-help process for end-user application access issues. -The following questions aren't in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). +The following are some questions you should consider when you deploy application control policies (as appropriate for your targeted environment). -### Which apps do you need to control in your organization? +## Which apps do you need to control in your organization? -You might need to control a limited number of applications because they access sensitive data, or you might have to exclude all applications except those applications that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. +You might need to control a limited number of applications because they access sensitive data, or you only want to allow apps approved for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. | Possible answers | Design considerations| -| - | - | -| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| -| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All applications on that list will be allowed to run (except those applications on the exception list). Applications that aren't on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| -|Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
    For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| +| --- | --- | +| Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. | +| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All applications on that list are allowed to run (except those applications on the exception list). Applications that aren't on the list are blocked from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. | +| Control only Classic Windows applications, only Packaged apps, or both | AppLocker policies control apps by creating an allowed list of apps by file type. Because Packaged apps are categorized under the Publisher condition, Classic Windows applications and Packaged apps can be controlled together. The rules you currently have for Classic Windows applications can remain, and you can create new ones for Packaged apps.
    For a comparison of Classic Windows applications and Packaged apps, see [Comparing Classic Windows applications and Packaged apps for AppLocker policy design decisions](#comparing-classic-windows-applications-and-packaged-apps-for-applocker-policy-design-decisions) in this article.| | Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| -| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure isn't based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you'll have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there's no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| +| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure isn't based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you have to identify users, their computers, and their app access requirements.| +| Understand app usage, but there's no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| -> [!IMPORTANT] -> The following list contains files or types of files that cannot be managed by AppLocker: +> [!NOTE] +> AppLocker rules allow or block an app or binary from launching. AppLocker doesn't control the behavior of apps after they're launched. For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md). -- AppLocker doesn't protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. +### Comparing Classic Windows applications and Packaged apps for AppLocker policy design decisions -- You can't use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +AppLocker policies for Packaged apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Packaged apps. The rules for Classic Windows applications and Packaged apps can be enforced together. The differences you should consider for Packaged apps are: -- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker can't control every kind of interpreted code, for example Microsoft Office macros. +- Standard users can install Packaged apps, whereas many Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. +- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Packaged apps can't change the system state because they run with limited permissions. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. +- Packaged apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Packaged apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. + +AppLocker controls Packaged apps and Classic Windows applications by using different rule collections. You have the choice to control Packaged apps, Classic Windows applications, or both. + +For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + +### Using AppLocker to control scripts + +AppLocker script enforcement involves a handshake between an enlightened script host, such as PowerShell, and AppLocker. However, the script host handles the actual enforcement behavior. Most script hosts first ask AppLocker whether a script should be allowed to run based on the AppLocker policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device. + +AppLocker uses the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks AppLocker if a script should be allowed, an event is logged with the answer AppLocker returned to the script host. + +> [!NOTE] +> When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. + +AppLocker script enforcement can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that from AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker can't control every kind of interpreted code, for example Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -- AppLocker rules allow or prevent an app from launching. AppLocker doesn't control the behavior of apps after they're launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. +## How do you currently control app usage in your organization? - For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md). - -### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions - -AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: - -- All Universal Windows apps can be installed by a standard user, whereas many Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. -- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps can't change the system state because they run with limited permissions. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. -- Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. - -AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both. - -For more info, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). - -### How do you currently control app usage in your organization? - -Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. AppLocker includes improvements over SRP in the architecture and management of application control policies. +Most organizations evolve their app control policies and methods over time. AppLocker is best in organizations with well-managed application deployment and approval processes. | Possible answers | Design considerations | -| - | - | -| Security policies (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this policy creation results in a simpler distribution method.| -| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| -| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| -| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| -| Other | Using AppLocker requires a complete app control policy evaluation and implementation.| +| --- | --- | +| Security policies (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this policy creation results in a simpler distribution method. | +| Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation. | +| Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation. | +| Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation. | +| Other | Using AppLocker requires a complete app control policy evaluation and implementation. | -### Which Windows desktop and server operating systems are running in your organization? - -If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system. - -|Possible answers|Design considerations| -|--- |--- | -|Your organization's computers are running a combination of the following operating systems:

  • Windows 11
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
  • Windows XP
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

    **Note:** If you're using the Basic User security level as assigned in SRP, those privileges aren't supported on computers running that support AppLocker.

    AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.| -|Your organization's computers are running only the following operating systems:
  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2|Use AppLocker to create your application control policies.| - -### Are there specific groups in your organization that need customized application control policies? +## Are there specific groups in your organization that need customized application control policies? Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group's priorities before you deploy application control policies for the entire organization. | Possible answers | Design considerations | -| - | - | -| Yes | For each group, you need to create a list that includes their application control requirements. Although this consideration may increase the planning time, it will most likely result in a more effective deployment.
    If your GPO structure isn't currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| -| No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| +| --- | --- | +| Yes | For each group, you need to create a list that includes their application control requirements. Although this consideration can increase the planning time, it often results in a more effective deployment.
    If your GPO structure doesn't match organizational groups, you can apply AppLocker rules to specific user groups. | +| No | AppLocker policies can be applied globally to applications that are installed. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| -### Does your IT department have resources to analyze application usage, and to design and manage the policies? +## Does your IT department have resources to analyze application usage, and to design and manage the policies? The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. | Possible answers | Design considerations | -| - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as constructed as possible.| +| --- | --- | +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as constructed as possible. | | No | Consider a focused and phased deployment for specific groups by using a few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | -### Does your organization have Help Desk support? +## Does your organization have Help Desk support? -Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. +When you prevent your users from accessing applications, it causes an increase in end-user support, at least initially. It's necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. | Possible answers | Design considerations | -| - | - | -| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | +| --- | --- | +| Yes | Involve the support department early in the planning phase because your users might be blocked from using their applications, or they might seek exceptions to use specific applications. | | No | Invest time in developing online support processes and documentation before deployment. | -### Do you know what applications require restrictive policies? +## Do you know what applications require restrictive policies? + Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. | Possible answers | Design considerations | -| - | - | +| --- | --- | | Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | -| No | You'll have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| +| No | You must perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs. | -### How do you deploy or sanction applications (upgraded or new) in your organization? +## How do you deploy or approve applications (upgraded or new) in your organization? -Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. +Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy helps shape the construction of the application control policies. | Possible answers | Design considerations | -| - | - | -| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| +| --- | --- | +| Unplanned | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls. | | Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. | | No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | -### Does your organization already have SRP deployed? +## What are your organization's priorities when implementing application control policies? -Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP. +Some organizations benefit from application control policies as shown by an increase in productivity or conformance, while others are hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker. | Possible answers | Design considerations | -| - | - | -| Yes | You can't use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

    **Note:** If you're using the Basic User security level as assigned in SRP, those permissions aren't supported on computers running the supported operating systems.| -| No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. | +| --- | --- | +| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run various software from different sources, including software that they developed. Therefore, if innovation and productivity are a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | +| Management: The organization is aware of and controls the applications it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. | +| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users to apps that access the data. If security is the top priority, your application control policies can be more restrictive. | -### What are your organization's priorities when implementing application control policies? +## How are apps currently accessed in your organization? -Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker. +AppLocker is effective for organizations with well-managed application management with straightforward application control policy goals. For example, AppLocker can benefit an environment where nonemployees have access to computers that are connected to the organizational network, such as a school or library. | Possible answers | Design considerations | -| - | - | -| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run various softwares from different sources, including software that they developed. Therefore, if innovation and productivity are a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | -| Management: The organization is aware of and controls the applications it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This GPO shifts the burden of application access to the IT department, but it also has the benefit of controlling the number of applications that can be run and controlling the versions of those applications| -| Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| +| --- | --- | +| Users run without administrative rights. | Apps are installed by using an installation deployment technology. | +| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

    **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it's important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. | +| Users currently have administrator access, and it would be difficult to change this privilege. | Enforcing AppLocker rules isn't suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker. | -### How are apps currently accessed in your organization? +## Is the structure in Active Directory Domain Services based on the organization's hierarchy? -AppLocker is effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a few rules. +Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. | Possible answers | Design considerations | -| - | - | -| Users run without administrative rights. | Apps are installed by using an installation deployment technology.| -| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

    **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it's important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. -| Users currently have administrator access, and it would be difficult to change this privilege.|Enforcing AppLocker rules isn't suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| - -### Is the structure in Active Directory Domain Services based on the organization's hierarchy? - -Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. -Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. - -| Possible answers | Design considerations | -| - | - | -| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.| -| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.| +| --- | --- | +| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure. | +| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer. | ## Record your findings The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document. -- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md). +- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 363423b61d..e2740a5bf6 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -1,43 +1,39 @@ --- title: Understand AppLocker rules and enforcement setting inheritance in Group Policy -description: This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. +description: This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Understand AppLocker rules and enforcement setting inheritance in Group Policy ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. -This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. - -Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into the following collections: executable files, Windows Installer files, scripts, packaged apps, and packaged app installers, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. +Rule enforcement is applied only to collections of rules, not individual rules. For more info on rule collections, see [AppLocker rule collections](/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules#rule-collections). Group Policy merges AppLocker policy in two ways: -- **Rules.** Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, 62 rules are applied to all computers that receive the AppLocker policy. +- **Rules.** Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO). For example, if the current GPO has 12 rules and a linked GPO has 50 rules, then 62 rules are applied. > [!IMPORTANT] > When determining whether a file is permitted to run, AppLocker processes rules in the following order: - 1. **Explicit deny.** An administrator created a rule to deny a file. - 2. **Explicit allow.** An administrator created a rule to allow a file. - 3. **Implicit deny.** This is also called the default deny because all files that are not affected by an allow rule are automatically blocked. - -- **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement is not configured on the closest GPO, the setting from the closest linked GPO will be enforced. -Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO. + 1. **Explicit deny.** An administrator created a rule to deny a file. + 2. **Explicit allow.** An administrator created a rule to allow a file. + 3. **Implicit deny.** All files not covered by an allow rule are blocked. + +- **Enforcement settings.** The last write to the policy is applied. For example, if a higher-level GPO has the enforcement setting configured to **Enforce rules** and the closest GPO has the setting configured to **Audit only**, **Audit only** is enforced. If enforcement mode isn't configured on the closest GPO, the setting from the closest linked GPO is enforced. Because a computer's effective policy includes rules from each linked GPO, duplicate rules or conflicting rules could be enforced on a user's computer. Therefore, you should carefully plan your deployment to ensure that only rules that are necessary are present in a GPO. The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs. ![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif) -In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced. +In the preceding illustration, all GPOs linked to Contoso are applied in order as configured. The rules that aren't configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 rules where the enforcement mode setting is "not configured." When the rule collection is configured for **Audit only**, no rules are enforced. -When constructing the Group Policy architecture for applying AppLocker policies, it is important to remember: +When constructing the Group Policy architecture for applying AppLocker policies, it's important to remember: -- Rule collections that are not configured will be enforced. -- Group Policy does not overwrite or replace rules that are already present in a linked GPO. -- AppLocker processes the explicit deny rule configuration before the allow rule configuration. -- For rule enforcement, the last write to the GPO is applied. +- Any rule collection with the enforcement mode set as "not configured" is enforced. +- Group Policy doesn't overwrite or replace rules that are already present in a linked GPO. +- AppLocker deny rules always take precedence over any allow rules. +- For rule enforcement, the last write to the GPO is applied. From 1c3951db34b80a4524434c9b022146a34f214183 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 22 Dec 2023 18:21:24 -0800 Subject: [PATCH 3/7] Reviewed applocker articles for accuracy and fixed Acrolinx and readability issues. --- .../applocker-policies-deployment-guide.md | 51 ++++++-------- .../create-your-applocker-policies.md | 41 +++++------ .../applocker/create-your-applocker-rules.md | 70 +++++++++---------- ...oy-the-applocker-policy-into-production.md | 35 +++++----- ...ements-for-deploying-applocker-policies.md | 61 ++++++++-------- ...the-applocker-policy-deployment-process.md | 21 +++--- ...-create-and-maintain-applocker-policies.md | 66 +++++++++-------- 7 files changed, 160 insertions(+), 185 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 3e609e4176..c6e633f5be 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -1,47 +1,38 @@ --- title: AppLocker deployment guide -description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. +description: This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # AppLocker deployment guide -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. -This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. - -This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It's intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. - -This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). +This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. By creating, testing, and maintaining your application control policies through a sequential and iterative deployment process, you can adapt to the changing needs of your organization. ## Prerequisites to deploying AppLocker policies The following are prerequisites or recommendations to deploying policies: -- Understand the capabilities of AppLocker: - - [AppLocker](applocker-overview.md) -- Document your application control policy deployment plan by addressing these tasks: - - [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) - - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - - [Determine your application control objectives](determine-your-application-control-objectives.md) - - [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) - - [Select types of rules to create](select-types-of-rules-to-create.md) - - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - -## Contents of this guide - -This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). +- Understand the capabilities of AppLocker: + - [AppLocker](applocker-overview.md) +- Document your application control policy deployment plan by addressing these tasks: + - [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) + - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) + - [Determine your application control objectives](determine-your-application-control-objectives.md) + - [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) + - [Select types of rules to create](select-types-of-rules-to-create.md) + - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) + - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) ## In this section -| Topic | Description | -| - | - | -| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. | -| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. | -| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. | -| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. | -| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. | +| Article | Description | +| --- | --- | +| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. | +| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. | +| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This article for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. | +| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. | +| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md index 861bf58502..1b14478169 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -1,40 +1,36 @@ --- title: Create Your AppLocker policies -description: This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. +description: This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Create Your AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. -This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. - -Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection can be configured to be enforced or to run in **Audit only** mode. An AppLocker policy includes the rules in the five rule collections and the enforcement settings for each rule collection. +Creating effective application control policies with AppLocker starts by creating the rules for each app. Rules are grouped into one of five rule collections. The rule collection is configured to enforce or to audit only. An AppLocker policy includes the rules in the five rule collections and the enforcement mode settings for each rule collection. ## Step 1: Use your plan -You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: +You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following articles to help you create an AppLocker policy deployment plan for your organization that addresses your specific application control requirements by department, organizational unit, or business group: -1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) -2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) -3. [Determine your application control objectives](determine-your-application-control-objectives.md) -4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) -5. [Select the types of rules to create](select-types-of-rules-to-create.md) -6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) +1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) +2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) +3. [Determine your application control objectives](determine-your-application-control-objectives.md) +4. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +5. [Select the types of rules to create](select-types-of-rules-to-create.md) +6. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) +7. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) ## Step 2: Create your rules and rule collections -Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or they can be generated by the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md). +Each rule applies to one or more apps, and it imposes a specific rule condition on them. Rules can be created individually or by using the Automatically Generate Rules Wizard. For the steps to create the rules, see [Create Your AppLocker rules](create-your-applocker-rules.md). ## Step 3: Configure the enforcement setting -An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it's set to **Not configured**, all the rules in that -policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). +An AppLocker policy is a set of rule collections that are configured with a rule enforcement mode setting. The enforcement mode setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker rule collection has at least one rule, and is set to **Not configured**, the rules in that rule collection are enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ## Step 4: Update the GPO @@ -49,15 +45,16 @@ In a test environment or with the enforcement setting set at **Audit only**, ver Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value-**Enforce rules** or **Audit only**. ## Step 7: Test the effect of the policy and adjust + Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). ## Next steps -Follow the steps described in the following topics to continue the deployment process: +Follow the steps described in the following articles to continue the deployment process: -1. [Create Your AppLocker rules](create-your-applocker-rules.md) -2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) -3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) +1. [Create Your AppLocker rules](create-your-applocker-rules.md) +2. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) +3. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) ## See also diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md index c32cbf3af1..e04367462f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -1,71 +1,67 @@ --- title: Create Your AppLocker rules -description: This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. +description: This article for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Create Your AppLocker rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. +This article for the IT professional describes what you need to know about AppLocker rules and the methods used to create rules. ## Creating AppLocker rules -AppLocker rules apply to the targeted app, and they're the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). +AppLocker rules control what apps run in your organization. Depending on the complexity of your organization's application requirements, managing these application control rules can be time-consuming and error prone. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). ### Automatically generate your rules -You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics: +You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating rules for all installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following articles: -- [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md) -- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) -- [Create AppLocker default rules](create-applocker-default-rules.md) -- [Edit AppLocker rules](edit-applocker-rules.md) -- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) +- [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md) +- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) +- [Create AppLocker default rules](create-applocker-default-rules.md) +- [Edit AppLocker rules](edit-applocker-rules.md) +- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) ### Create your rules individually -You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group. +Creating rules individually might be best when you're managing a few applications within a business group. + +> [!NOTE] +> The AppLocker wizards can generate default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). ->**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). - For information about performing this task, see: -1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) -2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) -3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) -4. [Edit AppLocker rules](edit-applocker-rules.md) -5. [Enforce AppLocker rules](enforce-applocker-rules.md) -6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) +1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) +2. [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) +3. [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) +4. [Edit AppLocker rules](edit-applocker-rules.md) +5. [Enforce AppLocker rules](enforce-applocker-rules.md) +6. [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) ## About selecting rules -AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. - -When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group. +AppLocker policies are composed of rules to allow or deny specific app files. These rules are grouped into rule collections, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. For info about how to determine and document your AppLocker rules, see [AppLocker Design Guide](applocker-policies-design-guide.md). -For info about AppLocker rules and AppLocker policies, see the following topics: +For info about AppLocker rules and AppLocker policies, see the following articles: -- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) -- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) -- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) -- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) -- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) -- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) +- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) +- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) +- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) +- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) +- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) ## Next steps -1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) -2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) -3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) -4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) +1. [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) +2. [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md) +3. [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) +4. [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) -## Related topics +## Related articles - [Create Your AppLocker policies](create-your-applocker-policies.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index da372fd5b0..38a183679a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -1,42 +1,39 @@ --- title: Deploy the AppLocker policy into production -description: This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. +description: This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Deploy the AppLocker policy into production ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. -This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. +After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you're ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement mode setting from **Audit only** to **Enforce rules** for a rule collection. Be sure to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement mode settings for linked GPOs. -After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from **Audit only** to **Enforce rules**. However, it is important to follow the deployment plan that you created earlier. For more info, see the [AppLocker Design Guide](applocker-policies-design-guide.md). Depending on the needs of different business groups in your organization, you might deploy different enforcement settings for linked GPOs. - -### Understand your design decisions +## Understand your design decisions Before you deploy an AppLocker policy, you should determine: -- For each business group, which applications will be controlled and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). -- How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). -- How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -- Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). +- For each business group, which applications to control and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). +- How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). +- How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). +- Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). -### AppLocker deployment methods +## AppLocker deployment methods -If you have configured a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then -observe the events that are generated. -- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) +If you configure a reference device, you can create and update your AppLocker policies on this device, test the policies, and then export the policies to the appropriate GPO for distribution. Another method is to create the policies and set the enforcement setting on **Audit only**, then observe the events that are generated. - This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. +- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) -- [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) + This article describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means. - This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to **Audit only** or to **Enforce rules**. +- [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) + + This article describes the steps to deploy the AppLocker policy by changing the enforcement mode setting to **Audit only** or to **Enforce rules**. ## See also diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 70a6f0b415..eb55e89166 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -1,65 +1,64 @@ --- title: Requirements for deploying AppLocker policies -description: This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +description: This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Requirements for deploying AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. +This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. The following requirements must be met or addressed before you deploy your AppLocker policies: -- [Deployment plan](#bkmk-reqdepplan) -- [Supported operating systems](#bkmk-reqsupportedos) -- [Policy distribution mechanism](#bkmk-reqpolicydistmech) -- [Event collection and analysis system](#bkmk-reqeventcollectionsystem) -### Deployment plan +- [Deployment plan](#deployment-plan) +- [Supported operating systems](#supported-operating-systems) +- [Policy distribution mechanism](#policy-distribution-mechanism) +- [Event collection and analysis system](#event-collection-and-analysis-system) -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). +## Deployment plan + +A successful AppLocker policy deployment begins with a policy design that allows the applications needed by your organization and prevents unauthorized apps, including malware, from running. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies. |Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy| -|--- |--- |--- |--- |--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | |Bank Tellers|Teller-East and Teller-West|Yes|Teller software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help Desk| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR|Web help| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

    |File is signed; create a publisher condition|Deny||Help Desk| ||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help Desk| - -Event processing policy + +### Event processing policy |Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy| -|--- |--- |--- |--- |--- | +| --- | --- | --- | --- | --- | |Bank Tellers|Forwarded to: srvBT093|Standard|None|Standard| |Human Resources|Do not forward|60 months|Yes; summary reports monthly to managers|Standard| - -Policy maintenance policy + +### Policy maintenance policy |Business group|Rule update policy|App decommission policy|App version policy|App deployment policy| -|--- |--- |--- |--- |--- | -|Bank Tellers|Planned: Monthly through business office triage

    Emergency: Request through Help Desk|Through business office triage; 30-day notice required|General policy: Keep past versions for 12 months

    List policies for each application|Coordinated through business office; 30-day notice required| -|Human Resources|Planned: Through HR triage

    Emergency: Request through Help Desk|Through HR triage; 30-day notice required|General policy: Keep past versions for 60 months

    List policies for each application|Coordinated through HR; 30-day notice required| - -### Supported operating systems +| --- | --- | --- | --- | --- | +| Bank Tellers | Planned: Monthly through business office triage

    Emergency: Request through Help Desk | Through business office triage; 30-day notice required | General policy: Keep past versions for 12 months

    List policies for each application | Coordinated through business office; 30-day notice required | +| Human Resources | Planned: Through HR triage

    Emergency: Request through Help Desk | Through HR triage; 30-day notice required |General policy: Keep past versions for 60 months

    List policies for each application | Coordinated through HR; 30-day notice required | -AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). +## Supported operating systems -### Policy distribution mechanism +AppLocker is supported only on certain operating systems. Some features aren't available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. +## Policy distribution mechanism -### Event collection and analysis system +You need a way to distribute the AppLocker policies throughout the targeted business groups. AppLocker uses Group Policy management architecture to effectively distribute application control policies. AppLocker policies can also be configured on individual computers by using the Local Security Policy snap-in. AppLocker rules can also be distributed through a mobile device management solution, like Microsoft Intune. + +## Event collection and analysis system Event processing is important to understand application usage. You must have a process in place to collect and analyze AppLocker events so that application usage is appropriately restricted and understood. For procedures to monitor AppLocker events, see: -- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) -- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) -- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) + +- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) +- [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) +- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) ## See also diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index d06e82f836..3340e10f44 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -1,19 +1,16 @@ --- title: Understand the AppLocker policy deployment process -description: This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. +description: This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Understand the AppLocker policy deployment process ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. -This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. - -To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create rules and set enforcement criteria that will allow the organization to use the required applications and allow the IT department to manage a controlled set of applications. +To successfully deploy AppLocker policies, you need to identify your application control objectives and construct the policies for those objectives. The key to the process is taking an accurate inventory of your organization's applications, which requires investigation of all the targeted business groups. With an accurate inventory, you can create and deploy policies that allow the organization's required applications and provide IT the control they need over the organization's app landscape. The following diagram shows the main points in the design, planning, and deployment process for AppLocker. @@ -21,9 +18,9 @@ The following diagram shows the main points in the design, planning, and deploym ## Resources to support the deployment process -The following topics contain information about designing, planning, deploying, and maintaining AppLocker policies: +The following articles contain information about designing, planning, deploying, and maintaining AppLocker policies: -- For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md). -- For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md). -- For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md). -- For info about AppLocker policy architecture, components, and processing, see [AppLocker technical reference](applocker-technical-reference.md). +- For info about the AppLocker policy design and planning requirements and process, see [AppLocker Design Guide](applocker-policies-design-guide.md). +- For info about the AppLocker policy deployment requirements and process, see [AppLocker deployment guide](applocker-policies-deployment-guide.md). +- For info about AppLocker policy maintenance and monitoring, see [Administer AppLocker](administer-applocker.md). +- For info about AppLocker policy architecture, components, and processing, see [AppLocker technical reference](applocker-technical-reference.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index c86f226134..47b1b1388d 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -1,17 +1,14 @@ --- title: Use a reference device to create and maintain AppLocker policies -description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. +description: This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/22/2023 --- # Use a reference device to create and maintain AppLocker policies ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. +This article for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ## Background and prerequisites @@ -19,51 +16,52 @@ An AppLocker reference device is a baseline device you can use to configure poli An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. ->**Important:** The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). - -You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies. +You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement mode setting or Windows PowerShell cmdlets. ## Step 1: Automatically generate rules on the reference device With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For information on how to automatically generate rules, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). ->**Note:** If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. - +> [!NOTE] +> If you run this wizard to create your first rules for a Group Policy Object (GPO), you will be prompted to create the default rules which allow critical system files to run. You can edit the default rules at any time. If your organization uses custom rules to allow the Windows system files to run, ensure that you delete the default rules after you create your custom rules. + ## Step 2: Create the default rules on the reference device AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md). ->**Important:** You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. - +> [!IMPORTANT] +> You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. + ## Step 3: Modify rules and the rule collection on the reference device -If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For information on how to export and save the policies, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: +If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For information on how to export and save the policies, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies are deployed, create the rules and develop the policies by using the following procedures: -- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) -- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) -- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) -- [Edit AppLocker rules](edit-applocker-rules.md) -- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) -- [Delete an AppLocker rule](delete-an-applocker-rule.md) -- [Enable the DLL rule collection](enable-the-dll-rule-collection.md) -- [Enforce AppLocker rules](enforce-applocker-rules.md) +- [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) +- [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) +- [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) +- [Edit AppLocker rules](edit-applocker-rules.md) +- [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) +- [Delete an AppLocker rule](delete-an-applocker-rule.md) +- [Enable the DLL rule collection](enable-the-dll-rule-collection.md) +- [Enforce AppLocker rules](enforce-applocker-rules.md) ## Step 4: Test and update AppLocker policy on the reference device -You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it's receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: +You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any apps on your reference device are blocked by the rules in your rule collections. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it's receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: -- [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10)) -- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) +- [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10)) +- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) + +> [!WARNING] +> If you have set the enforcement mode setting on the rule collection to **Enforce rules** or **Not configured**, the policy will be enforced upon completing the next step. Set the enforcement mode setting on the rule collection to **Audit only** if you aren't ready to block any files from running. ->**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect. - ## Step 5: Export and import the policy into production -When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that aren't managed by Group Policy) and checked for its intended effectiveness. To do these tasks, perform the following procedures: +After you test your AppLocker policy, you can import it into the GPO (or imported into individual computers not managed by Group Policy) and checked for its intended effectiveness. To do these tasks, perform the following procedures: -- [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) -- [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or -- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) +- [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) +- [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or +- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) If the AppLocker policy enforcement setting is **Audit only** and you're satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). @@ -71,9 +69,9 @@ If the AppLocker policy enforcement setting is **Audit only** and you're satisfi If more refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: -- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) -- [Edit an AppLocker policy](edit-an-applocker-policy.md) -- [Refresh an AppLocker policy](refresh-an-applocker-policy.md) +- [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) +- [Edit an AppLocker policy](edit-an-applocker-policy.md) +- [Refresh an AppLocker policy](refresh-an-applocker-policy.md) ## See also From c3e35ec54146c4db19c7574c0916a4851c1c0cc8 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 23 Dec 2023 09:09:45 -0800 Subject: [PATCH 4/7] Reviewed AppLocker articles for accuracy and fixed Acrolinx and readability issues. --- .../applocker-policy-use-scenarios.md | 60 ++++++++---------- .../applocker-technical-reference.md | 35 +++++------ ...onfigure-the-appLocker-reference-device.md | 40 ++++++------ ...igitally-signed-on-a-reference-computer.md | 20 +++--- .../requirements-to-use-applocker.md | 48 +++++--------- .../applocker/what-is-applocker.md | 63 ++++--------------- 6 files changed, 99 insertions(+), 167 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 7657e480fa..a2776beaac 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -1,56 +1,50 @@ --- title: AppLocker policy use scenarios -description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. +description: This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # AppLocker policy use scenarios -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. -This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. +AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker include: -AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows: +1. **App inventory** -1. **App inventory** + AppLocker can apply its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access. - AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access. +2. **Protection against unwanted software** -2. **Protection against unwanted software** + AppLocker can block apps from running simply by excluding them from the list of allowed apps per business group or user. Any app not allowed by your policy based on its publisher, installation path, or file hash, is blocked. - AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app isn't identified by its publisher, installation path, or file hash, the attempt to run the application fails. +3. **Licensing conformance** -3. **Licensing conformance** + With AppLocker's app inventory described earlier, you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements. - AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements. +4. **Software standardization** -4. **Software standardization** + AppLocker policies can allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment. - AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment. - -5. **Manageability improvement** - - AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. - -### Use scenarios +## Use scenarios The following are examples of scenarios in which AppLocker can be used: -- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage. -- The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed. -- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps aren't licensed or prevent unauthorized users from running licensed software. -- An app is no longer supported by your organization, so you need to prevent it from being used by everyone. -- Your organization needs to restrict the use of Universal Windows apps to just those apps your organization approves of or develops. -- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. -- The license to an app has been revoked or is expired in your organization, so you need to prevent it from being used by everyone. -- A new app or a new version of an app is deployed, and you need to allow certain groups to use it. -- Specific software tools aren't allowed within the organization, or only specific users have access to those tools. -- A single user or small group of users needs to use a specific app that is denied for all others. -- Some computers in your organization are shared by people who have different software usage needs. -- In addition to other measures, you need to control the access to sensitive data through app usage. +- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage. +- Your security policy for application usage changed, and you need to evaluate where and when those deployed apps are being accessed. +- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps aren't licensed or prevent unauthorized users from running licensed software. +- An app is no longer supported by your organization, so you need to prevent it from being used by everyone. +- Your organization needs to restrict the use of Universal Windows apps to just those apps your organization approves of or develops. +- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. +- The license to an app is revoked or expired in your organization, so you need to prevent it from being used by everyone. +- A new app or a new version of an app is deployed, and you need to allow certain groups to use it. +- Specific software tools aren't allowed within the organization, or only specific users have access to those tools. +- A single user or small group of users needs to use a specific app that is denied for all others. +- Some people who need access to different apps share computers in your organization. +- In addition to other measures, you need to control the access to sensitive data through app usage. + +## Related articles -## Related topics - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md index 8f8b29113c..909445c4b9 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -1,30 +1,27 @@ --- title: AppLocker technical reference -description: This overview topic for IT professionals provides links to the topics in the technical reference. +description: This overview article for IT professionals provides links to the articles in the technical reference. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # AppLocker technical reference ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This overview topic for IT professionals provides links to the topics in the technical reference. -AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. +This overview article for IT professionals provides links to the articles in the technical reference. +AppLocker lets you create rules to allow or deny apps from running based on information about the apps' files. You can specify unique rules for different users or groups to control who can run those apps. ## In this section -| Topic | Description | -| - | - | -| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. | -| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. | -| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. | -| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. | -| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker's basic architecture and its major components. | -| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | -| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | -| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. | -| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. | -| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. | +| Article | Description | +| --- | --- | +| [What Is AppLocker?](what-is-applocker.md) | This article for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. | +| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. | +| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. | +| [How AppLocker works](how-applocker-works-techref.md) | This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. | +| [AppLocker architecture and components](applocker-architecture-and-components.md) | This article for IT professional describes AppLocker's basic architecture and its major components. | +| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | +| [AppLocker functions](applocker-functions.md) | This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | +| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This article for the IT professional describes the security considerations you need to address when implementing AppLocker. | +| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This article for the IT professional describes the tools available to create and administer AppLocker policies. | +| [AppLocker Settings](applocker-settings.md) | This article for the IT professional lists the settings used by AppLocker. | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index eb422a3a03..9ad52b4cd3 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -1,44 +1,42 @@ --- title: Configure the AppLocker reference device -description: This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. +description: This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Configure the AppLocker reference device ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. +This article for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. An AppLocker reference device that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference device, you can: -- Maintain an application list for each business group. -- Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules. -- Create the default rules to allow the Windows system files to run properly. -- Run tests and analyze the event logs to determine the effect of the policies that you intend to deploy. +- Maintain an application list for each business group. +- Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules. +- Create the default rules to allow the Windows system files to run properly. +- Run tests and analyze the event logs to determine the effect of the policies that you intend to deploy. The reference device doesn't need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). ->**Warning:** Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected. - -**To configure a reference device** +> [!WARNING] +> Don't use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies won't work as expected. -1. If the operating system isn't already installed, install one of the supported editions of Windows on the device. +## To configure a reference device - >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device - -2. Configure the administrator account. +1. If the operating system isn't already installed, install one of the supported editions of Windows on the device. - To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO). + >**Note:** If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device. -3. Install all apps that run in the targeted business group or OU by using the same directory structure. +2. Configure the administrator account. + + To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have delegated privileges to use Group Policy to update a Group Policy Object (GPO). + +3. Install all apps that run in the targeted business group or OU by using the same directory structure. The reference device should be configured to mimic the structure of your production environment. It depends on having the same apps in the same directories to accurately create the rules. ### See also -- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md). -- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) +- After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this task, see [Working with AppLocker rules](working-with-applocker-rules.md). +- [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index a654dfc5f7..56fef83f74 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -1,31 +1,29 @@ --- title: Find digitally signed apps on a reference device -description: This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. +description: This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Determine which apps are digitally signed on a reference device ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. +This article for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device doesn't need to be joined to the domain. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. -**To determine which apps are digitally signed on a reference device** -1. Run **Get-AppLockerFileInformation** with the appropriate parameters. +## To determine which apps are digitally signed on a reference device - The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. +1. Run **Get-AppLockerFileInformation** with the appropriate parameters. -2. Analyze the publisher's name and digital signature status from the output of the command. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log might not contain all of these fields. Files that aren't signed don't have any publisher information. + +2. Analyze the publisher's name and digital signature status from the output of the command. For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460961(v=technet.10)). -## Related topics +## Related articles - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 5d2b189772..3d5dcd1008 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -1,61 +1,43 @@ --- title: Requirements to use AppLocker -description: This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. +description: This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Requirements to use AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. +This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. ## General requirements To use AppLocker, you need: -- A device running a supported operating system to create the rules. The computer can be a domain controller. -- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. -- Devices running a supported operating system to enforce the AppLocker rules that you create. +- A device running a supported operating system to create the rules. The computer can be a domain controller. +- For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. +- Devices running a supported operating system to enforce the AppLocker rules that you create. >[!NOTE] ->As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies - +>As of [KB 5024351](https://support.microsoft.com/help/5024351), Windows 10 versions 2004 and newer and all Windows 11 versions no longer require a specific edition of Windows to enforce AppLocker policies. + ## Operating system requirements The following table shows the Windows versions on which AppLocker features are supported. | Version | Can be configured | Can be enforced | Available rules | Notes | -| - | - | - | - | - | -| Windows 10 and Windows 11| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).

    Windows versions older than version 2004, including Windows Server 2019:

    • Policies deployed through GP are only supported on Enterprise and Server editions.
    • Policies deployed through MDM are supported on all editions.
    | -| Windows Server 2019
    Windows Server 2016
    Windows Server 2012 R2
    Windows Server 2012| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | -| Windows 8.1 Pro| Yes| No| N/A|| -| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | -| Windows RT 8.1| No| No| N/A|| -| Windows 8 Pro| Yes| No| N/A|| -| Windows 8 Enterprise| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL|| -| Windows RT| No| No| N/A| | -| Windows Server 2008 R2 Standard| Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows 7 Ultimate| Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows 7 Enterprise| Yes| Yes| Executable
    Windows Installer
    Script
    DLL| Packaged app rules won't be enforced.| -| Windows 7 Professional| Yes| No| Executable
    Windows Installer
    Script
    DLL| No AppLocker rules are enforced.| - +| --- | --- | --- | --- | --- | +| Windows 10 and Windows 11 | Yes | Yes | Packaged apps
    Executable
    Windows Installer
    Script
    DLL | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).

    Windows versions older than version 2004, including Windows Server 2019:
    • Policies deployed through GP are only supported on Enterprise and Server editions.
    • Policies deployed through MDM are supported on all editions.
    | +| Windows Server 2019
    Windows Server 2016
    Windows Server 2012 R2 | Yes | Yes | Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | +| Windows 8.1 Pro | Yes | No | N/A | | +| Windows 8.1 Enterprise | Yes | Yes | Packaged apps
    Executable
    Windows Installer
    Script
    DLL | | -AppLocker isn't supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature isn't supported on the above operating systems. - ->[!NOTE] ->You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). +AppLocker isn't supported on versions of the Windows operating system not listed in the preceding table. ## See also + - [Administer AppLocker](administer-applocker.md) - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - [Optimize AppLocker performance](optimize-applocker-performance.md) -- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) - [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) - [AppLocker Design Guide](applocker-policies-design-guide.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md index e976eb85b8..256c416dbf 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker.md @@ -1,68 +1,31 @@ --- title: What Is AppLocker -description: This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. +description: This article for the IT professional describes what AppLocker is. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # What Is AppLocker? ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional describes what AppLocker is. -This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. +Windows includes two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. For information to help you choose when to use WDAC or AppLocker, see [WDAC and AppLocker overview](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). -AppLocker advances the app control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. +AppLocker helps you create rules to allow or deny apps from running based on information about the apps' files. You can also use AppLocker to control which users or groups can run those apps. Using AppLocker, you can: -- Control the following types of apps: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx). -- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. -- Assign a rule to a security group or an individual user. -- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe). -- Use audit-only mode to deploy the policy and understand its impact before enforcing it. -- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten. -- Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets. - -AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps +- Control the following types of apps and files: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.mst, .msi and .msp), and DLL files (.dll and .ocx), and packaged apps and packaged app installers (appx). +- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. +- Assign a rule to a security group or an individual user. +- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe). +- Use audit-only mode to deploy the policy and understand its effect before enforcing it. +- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten. +- Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets. For information about the application control scenarios that AppLocker addresses, see [AppLocker policy use scenarios](applocker-policy-use-scenarios.md). -## What features are different between Software Restriction Policies and AppLocker? - -**Feature differences** - -The following table compares AppLocker to Software Restriction Policies. - -|Feature|Software Restriction Policies|AppLocker| -|--- |--- |--- | -|Rule scope|All users|Specific user or group| -|Rule conditions provided|File hash, path, certificate, registry path, and Internet zone|File hash, path, and publisher| -|Rule types provided|Defined by the security levels:
  • Disallowed
  • Basic User
  • Unrestricted|Allow and deny| -|Default rule action|Unrestricted|Implicit deny| -|Audit-only mode|No|Yes| -|Wizard to create multiple rules at one time|No|Yes| -|Policy import or export|No|Yes| -|Rule collection|No|Yes| -|Windows PowerShell support|No|Yes| -|Custom error messages|No|Yes| - -Application control function differences - -The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. - -|Application control function|SRP|AppLocker| -|--- |--- |--- | -|Operating system scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.
    **Note:** Use different GPOs for SRP and AppLocker rules.
    | -|User support|SRP allows users to install applications as an administrator.|AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.

    AppLocker permits customization of error messages to direct users to a Web page for help.| -|Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.

    AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.| -|Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.| -|Block malicious scripts|Rules for blocking malicious scripts prevent all scripts associated with the Windows Script Host from running, except those scripts that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.| -|Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.| -|Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.| -|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. An administrator uses AppLocker to specify the user to whom a specific rule should apply.| - -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) From 71009b7741780af8177c6ddbdb4c40efbf49a65c Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 23 Dec 2023 11:23:54 -0800 Subject: [PATCH 5/7] Reviewed AppLocker articles for accuracy and fixed acrolinx and readability issues --- .../applocker-architecture-and-components.md | 27 +++--- .../applocker/applocker-functions.md | 49 +++++------ .../applocker-processes-and-interactions.md | 86 +++++++++---------- .../applocker/dll-rules-in-applocker.md | 33 ++++--- .../executable-rules-in-applocker.md | 23 +++-- .../applocker/how-applocker-works-techref.md | 53 ++++++------ ...ckaged-app-installer-rules-in-applocker.md | 30 +++---- .../applocker/rule-collection-extensions.md | 4 +- .../applocker/script-rules-in-applocker.md | 8 +- .../security-considerations-for-applocker.md | 30 +++---- ...plocker-allow-and-deny-actions-on-rules.md | 30 +++---- .../understanding-applocker-default-rules.md | 40 ++++----- .../understanding-applocker-rule-behavior.md | 22 +++-- ...nderstanding-applocker-rule-collections.md | 30 +++---- ...standing-applocker-rule-condition-types.md | 51 +++++------ ...understanding-applocker-rule-exceptions.md | 15 ++-- ...e-file-hash-rule-condition-in-applocker.md | 21 ++--- ...ng-the-path-rule-condition-in-applocker.md | 23 +++-- ...e-publisher-rule-condition-in-applocker.md | 61 ++++++------- 19 files changed, 286 insertions(+), 350 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 93e671aff7..763fd8e86d 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -1,34 +1,31 @@ --- title: AppLocker architecture and components -description: This topic for IT professional describes AppLocker’s basic architecture and its major components. +description: This article for IT professional describes AppLocker’s basic architecture and its major components. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # AppLocker architecture and components -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professional describes AppLocker's basic architecture and its major components. -This topic for IT professional describes AppLocker's basic architecture and its major components. +AppLocker uses the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions. -AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions. +AppLocker provides three ways to intercept and validate if a file is allowed to run according to an AppLocker policy. -AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy. +## A new process is created -**A new process is created** +When an app file is run, a new process is created. When that happens, AppLocker calls the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run. -When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run. +## A DLL is loaded -**A DLL is loaded** +When a DLL is loaded, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process. -When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process. +## A script is run -**A script is run** +Before a script file is run, the script host (for example, PowerShell) calls AppLocker to verify the script. AppLocker calls the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it should run. In each case, the actions taken by AppLocker are written to the event log. -Before a script file is run, the script host (for example, for .ps1 files, the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it's allowed to run. In each case, the actions taken by AppLocker are written to the event log. - -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md index 48067e47b9..8ab68a0205 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-functions.md @@ -1,45 +1,40 @@ --- title: AppLocker functions -description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. +description: This article for the IT professional lists the functions and security levels for AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # AppLocker functions -> [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. +This article for the IT professional lists the functions and security levels for AppLocker. ## Functions -Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2: - -- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation) -- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel) -- [SaferCloseLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercloselevel) -- [SaferIdentifyLevel Function](/windows/win32/api/winsafer/nf-winsafer-saferidentifylevel) -- [SaferComputeTokenFromLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercomputetokenfromlevel) -- [SaferGetLevelInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetlevelinformation) -- [SaferRecordEventLogEntry Function](/windows/win32/api/winsafer/nf-winsafer-saferrecordeventlogentry) -- [SaferiIsExecutableFileType Function](/windows/win32/api/winsafer/nf-winsafer-saferiisexecutablefiletype) +- [SaferGetPolicyInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetpolicyinformation) +- [SaferCreateLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercreatelevel) +- [SaferCloseLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercloselevel) +- [SaferIdentifyLevel Function](/windows/win32/api/winsafer/nf-winsafer-saferidentifylevel) +- [SaferComputeTokenFromLevel Function](/windows/win32/api/winsafer/nf-winsafer-safercomputetokenfromlevel) +- [SaferGetLevelInformation Function](/windows/win32/api/winsafer/nf-winsafer-safergetlevelinformation) +- [SaferRecordEventLogEntry Function](/windows/win32/api/winsafer/nf-winsafer-saferrecordeventlogentry) +- [SaferiIsExecutableFileType Function](/windows/win32/api/winsafer/nf-winsafer-saferiisexecutablefiletype) ## Security level ID -AppLocker and SRP use the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker. +AppLocker uses the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in AppLocker. -| Security level ID | SRP | AppLocker | -| - | - | - | -| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported | -| SAFER_LEVELID_NORMALUSER | Supported | Not supported | -| SAFER_LEVELID_CONSTRAINED | Supported | Not supported | -| SAFER_LEVELID_UNTRUSTED | Supported | Not supported | -| SAFER_LEVELID_DISALLOWED | Supported | Supported | - ->[!Note] ->URL zone ID isn't supported in AppLocker. +| Security level ID | AppLocker | +| --- | --- | +| SAFER_LEVELID_FULLYTRUSTED | Supported | +| SAFER_LEVELID_NORMALUSER | Not supported | +| SAFER_LEVELID_CONSTRAINED | Not supported | +| SAFER_LEVELID_UNTRUSTED | Not supported | +| SAFER_LEVELID_DISALLOWED | Supported | + +> [!NOTE] +> URL zone ID isn't supported in AppLocker. ## Related articles diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 567b3bafc5..36cd302f29 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -1,9 +1,9 @@ --- title: AppLocker processes and interactions -description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. +description: This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # AppLocker processes and interactions @@ -11,85 +11,85 @@ ms.date: 09/21/2017 > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. +This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. -## How policies are implemented by AppLocker +## How AppLocker applies policies -AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure. +AppLocker policies are collections of rules that might contain any one of the enforcement mode settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure. -The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service isn't running, policies won't be enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in. +The AppLocker policy is enforced on a computer through the Application Identity service (appid.sys), which is the engine that evaluates the policies and runs within the Windows kernel. If the service isn't running, policies aren't enforced. The Application Identity service returns the information from the binary -even if product or binary names are empty- to the results pane of the Local Security Policy snap-in. AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information: -- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form). -- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.) -- The rule condition containing the **appid** attributes. +- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form). +- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID in SDDL.) +- The rule condition containing the **appid** attributes. -For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*"). +For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: `XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*")`. -An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made. +Appid.sys reads and caches the effective AppLocker policy for DLLs and executable files. Whenever a new policy is applied, a policy converter task notifies appid.sys. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made. -### Understanding AppLocker rules +## Understanding AppLocker rules -An AppLocker rule is a control placed on a file to govern whether or not it's allowed to run for a specific user or group. Rules apply to five different types, or collections, of files: +An AppLocker rule is a control placed on a file that controls whether or not it runs for a specific user or group. You create AppLocker rules for five different types of files, or collections: -- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications. -- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js. -- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, .mst and .msp (Windows Installer patch). -- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx. -- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension. +- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications. +- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js. +- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, .mst and .msp (Windows Installer patch). +- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx. +- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension. There are three different types of conditions that can be applied to rules: -- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed. -- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories. -- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes. +- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed. +- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories. +- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes. -- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) +- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps. -- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) +- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. - - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) -- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) + - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) + - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. - - [Executable rules in AppLocker](executable-rules-in-applocker.md) - - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - - [Script rules in AppLocker](script-rules-in-applocker.md) - - [DLL rules in AppLocker](dll-rules-in-applocker.md) - - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) -- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) + - [Executable rules in AppLocker](executable-rules-in-applocker.md) + - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) + - [Script rules in AppLocker](script-rules-in-applocker.md) + - [DLL rules in AppLocker](dll-rules-in-applocker.md) + - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) +- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) - You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset. + You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset. -- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md) +- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md) Each AppLocker rule collection functions as an allowed list of files. -### Understanding AppLocker policies +## Understanding AppLocker policies -An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers. +An AppLocker policy is a set of rule collections and their corresponding configured enforcement mode settings applied to one or more computers. -- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) +- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. -### Understanding AppLocker and Group Policy +## Understanding AppLocker and Group Policy Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies. -- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) +- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) - When Group Policy is used to distribute AppLocker policies, rule collections that aren't configured will be enforced. Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. - AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. + When Group Policy is used to distribute AppLocker policies, rule collections containing one or more rules are enforced unless the enforcement mode is set to **Audit only**. Group Policy doesn't overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. + AppLocker processes explicit deny rules before any allow rules, and for rule enforcement, the last write to the GPO is applied. -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md index 39003c7034..36da65e276 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -1,37 +1,34 @@ --- title: DLL rules in AppLocker -description: This topic describes the file formats and available default rules for the DLL rule collection. +description: This article describes the file formats and available default rules for the DLL rule collection. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # DLL rules in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the file formats and available default rules for the DLL rule collection. +This article describes the file formats and available default rules for the DLL rule collection. AppLocker defines DLL rules to include only the following file formats: -- .dll -- .ocx +- .dll +- .ocx + +> [!IMPORTANT] +> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps, including Windows system files. The following table lists the default rules that are available for the DLL rule collection. | Purpose | Name | User | Rule condition type | -| - | - | - | - | -| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs| BUILTIN\Administrators | Path: *| -| Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\*| -| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| Everyone | Path: %programfiles%\*| - -> [!IMPORTANT] -> If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps +| --- | --- | --- | --- | +| Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs | BUILTIN\Administrators | Path: * | +| Allow all users to run DLLs in the Windows folder | (Default Rule) Microsoft Windows DLLs | Everyone | Path: %windir%\* | +| Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder | Everyone | Path: %programfiles%\* | > [!CAUTION] -> When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. - -## Related topics +> When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used on computers that are resource constrained. + +## Related articles - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 4e0d5303e8..e90dc2b98e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -1,26 +1,23 @@ --- title: Executable rules in AppLocker -description: This topic describes the file formats and available default rules for the executable rule collection. +description: This article describes the file formats and available default rules for the executable rule collection. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Executable rules in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article describes the file formats and available default rules for the executable rule collection. -This topic describes the file formats and available default rules for the executable rule collection. - -AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection. +AppLocker executable rules conceptually apply to files with the .exe and .com extensions that are associated with an app. However, AppLocker executable rules actually apply to any portable executable (PE) file, regardless of the file's extension. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths can run. The following table lists the default rules that are available for the executable rule collection. | Purpose | Name | User | Rule condition type | -| - | - | - | - | -| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * | -| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*| -| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*| - -## Related topics +| --- | --- | --- | --- | +| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files | BUILTIN\Administrators | Path: * | +| Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder | Everyone| Path: %windir%\* | +| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\* | + +## Related articles - [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md index b05b76c318..b2f3e10097 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -1,45 +1,42 @@ --- title: How AppLocker works -description: This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. +description: This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # How AppLocker works ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. -This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. +The following articles explain how AppLocker policies for each of the rule condition types are evaluated: -The following topics explain how AppLocker policies for each of the rule condition types are evaluated: +- [AppLocker architecture and components](applocker-architecture-and-components.md) +- [AppLocker processes and interactions](applocker-processes-and-interactions.md) -- [AppLocker architecture and components](applocker-architecture-and-components.md) -- [AppLocker processes and interactions](applocker-processes-and-interactions.md) +The following articles explain how AppLocker rules and policies work: -The following topics explain how AppLocker rules and policies work: +- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) +- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) +- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) +- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) +- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) -- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) -- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) -- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) -- [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md) -- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) + - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) + - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) - - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) -- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + - [Executable rules in AppLocker](executable-rules-in-applocker.md) + - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) + - [Script rules in AppLocker](script-rules-in-applocker.md) + - [DLL rules in AppLocker](dll-rules-in-applocker.md) + - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) - - [Executable rules in AppLocker](executable-rules-in-applocker.md) - - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - - [Script rules in AppLocker](script-rules-in-applocker.md) - - [DLL rules in AppLocker](dll-rules-in-applocker.md) - - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) +## More resources -## Additional resources - -- [AppLocker Design Guide](applocker-policies-design-guide.md) -- [AppLocker deployment guide](applocker-policies-deployment-guide.md) -- [Administer AppLocker](administer-applocker.md) +- [AppLocker Design Guide](applocker-policies-design-guide.md) +- [AppLocker deployment guide](applocker-policies-deployment-guide.md) +- [Administer AppLocker](administer-applocker.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 92d016a3dc..d084a76681 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -1,30 +1,26 @@ --- title: Packaged apps and packaged app installer rules in AppLocker -description: This topic explains the AppLocker rule collection for packaged app installers and packaged apps. +description: This article explains the AppLocker rule collection for packaged app installers and packaged apps. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 12/23/2023 --- # Packaged apps and packaged app installer rules in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article explains the AppLocker rule collection for packaged app installers and packaged apps. -This topic explains the AppLocker rule collection for packaged app installers and packaged apps. +Packaged apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Standard users can install packaged apps unlike some Classic Windows applications that sometimes require administrative privileges for installation. Typically, an app consists of multiple components - the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, those components often don't share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections - exe, dll, script and Windows Installers. In contrast, all the components of a Packaged app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule. -Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation. -Typically, an app consists of multiple components - the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections - exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule. +AppLocker enforces rules for Packaged apps separately from Classic Windows applications. A single AppLocker rule for a Packaged app can control both the installation and the running of an app. Because all Packaged apps are signed, AppLocker supports only publisher rules for Packaged apps. A publisher rule for a Packaged app is based on the following attributes of the app: -AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app: +- Publisher name +- Package name +- Package version -- Publisher name -- Package name -- Package version +In summary, including AppLocker rules for Packaged apps in your policy design provides: -In summary, including AppLocker rules for Universal Windows apps in your policy design provides: - -- The ability to control the installation and running of the app -- The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app -- The ability to create application control policies that survive app updates -- Management of Universal Windows apps through Group Policy. +- The ability to control the installation and running of the app. +- The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app. +- The ability to create application control policies that survive app updates. +- Management of Packaged apps through Group Policy. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md index 8f2cf40012..4b31cb39d6 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md @@ -6,12 +6,12 @@ ms.collection: - must-keep ms.topic: conceptual ms.localizationpriority: medium -ms.date: 12/19/2023 +ms.date: 12/23/2023 --- # AppLocker rule collection extensions -This article describes the rule collection extensions added in Windows 10 or later. Rule collection extensions are optional features available only for the EXE and DLL rule collections. Configure rule collection extensions by directly editing your AppLocker policy XML as shown in the following XML fragment. +This article describes the rule collection extensions added in Windows 10 and later. Rule collection extensions are optional features available only for the EXE and DLL rule collections. Configure rule collection extensions by directly editing your AppLocker policy XML as shown in the following XML fragment. ```xml diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md index ea18273ead..0343d4d644 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,7 +3,7 @@ title: Script rules in AppLocker description: This article describes the file formats and available default rules for the script rule collection. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 06/15/2022 +ms.date: 12/23/2023 --- # Script rules in AppLocker @@ -20,10 +20,10 @@ AppLocker defines script rules to include only the following file formats: The following table lists the default rules that are available for the script rule collection. | Purpose | Name | User | Rule condition type | -| - | - | - | - | +| --- | --- | --- | --- | | Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| +| Allow all users to run scripts in the Windows folder | (Default Rule) All scripts located in the Windows folder | Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder | Everyone | Path: `%programfiles%\*`| > [!NOTE] > When a script runs that is not allowed by policy, AppLocker raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host. In the case of PowerShell, "blocked" scripts will still run, but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). Authorized scripts run in Full Language Mode. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 69f190b3f5..0422c26a4d 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -1,47 +1,39 @@ --- title: Security considerations for AppLocker -description: This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. +description: This article for the IT professional describes the security considerations you need to address when implementing AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Security considerations for AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for the IT professional describes the security considerations you need to address when implementing AppLocker. -This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. - -The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for -AppLocker: +AppLocker helps restrict access to software for specific users or groups of users. The following are security considerations for AppLocker: AppLocker is deployed within an enterprise and administered centrally by those resources in IT with trusted credentials. This system makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. -AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. +AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement mode settings from AppLocker policies distributed through Group Policy Objects (GPO) take precedence over local policies. However, because AppLocker rules are additive, a local policy's rules are merged with rules from any GPOs applied to the computer. Microsoft doesn't provide a way to develop any extensions to AppLocker. The interfaces aren't public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)). -AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. If the local computer isn't joined to a domain and isn't administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. +AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. Because AppLocker rules are additive, any local policy rules are applied to that computer along with any GPOs. If the local computer isn't joined to a domain or controlled by Group Policy, a person with administrative credentials can fully control the AppLocker policy. -When files are being secured in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it's still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. +AppLocker path rules don't replace access control lists (ACLs). You should continue to use ACLs to restrict access to files according to your security policy. -AppLocker doesn't protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. - -You can't use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +You can't use AppLocker to prevent code from running outside the Win32 subsystem. For example, it can't control code running in the Windows Subsystem for Linux. If it's a requirement to prevent applications from running in the Linux subsystem, you must disable the subsystem. Or, you can block the Windows Subsystem for Linux by blocking LxssManager.dll. AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker can't control every kind of interpreted code, such as Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. - -AppLocker rules either allow or prevent an application from launching. AppLocker doesn't control the behavior of applications after they're launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. + +AppLocker rules either allow or block application file from running. AppLocker doesn't control the behavior of applications after they're launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an allowed application could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. > [!NOTE] > Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. -You can block the Windows Subsystem for Linux by blocking LxssManager.dll. - -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index a10756f305..bd84599f4e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -1,36 +1,28 @@ --- title: Understanding AppLocker allow and deny actions on rules -description: This topic explains the differences between allow and deny actions on AppLocker rules. +description: This article explains the differences between allow and deny actions on AppLocker rules. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker allow and deny actions on rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic explains the differences between allow and deny actions on AppLocker rules. +This article explains the differences between allow and deny actions on AppLocker rules. ## Allow action versus deny action on rules -Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This **block by default, allow by exception** configuration makes it easier to determine what will occur when an AppLocker rule is applied. +Each AppLocker rule collection functions as an explicit allowlist of files. You can only run files that are covered by one or more allow rules within the rule collection. You can also create rules that explicitly deny some files from running. All other files not covered by an explicit Allow or Deny rule are *implicitly* blocked from running. Understanding this **block by default, allow by exception** behavior is critical when analyzing how your policy affects users in your organization. -You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. +When AppLocker applies rules, it first checks whether any explicit deny actions are specified in the rule list. If you deny a file from running in a rule collection, the deny action takes precedence over any allow action and can't be overridden. Then, AppLocker checks for any explicit allow actions for the file. Because AppLocker functions as an allowlist by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action blocks the file. -### Deny rule considerations +### Using AppLocker to implement a blocklist -Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. The following table details security concerns for different rule conditions with deny actions. +Although you can use AppLocker to create an explicit blocklist policy, this approach doesn't scale well for most organizations and isn't recommended as a practical application control strategy. However, if you choose to do so, be sure to include an "allow \*" rule within the rule collection so that all other files run. -| Rule condition | Security concern with deny action | -| - | - | -| Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).| -| File hash | A user could modify the hash for a file.| -| Path | A user could move the denied file to a different location and run it from there.| - ->**Important:** If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running. - -## Related topics +> [!IMPORTANT] +> If you don't include allow rules for all required apps, including Windows system files, within a rule collection, you will cause unexpected results because your policy will *implicitly* deny all other files on the computer from running. + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 764edf8acd..b70374af0f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -1,43 +1,39 @@ --- title: Understanding AppLocker default rules -description: This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. +description: This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker default rules ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article for IT professional describes the set of rules that can be used to ensure that required Windows system files continue to run when the policy is applied. -This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. - -AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. +The AppLocker wizard includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. > [!IMPORTANT] > You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. - -If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. -The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: -- Traverse Folder/Execute File -- Create Files/Write Data -- Create Folders/Append Data +If you require extra app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: + +- Traverse Folder/Execute File +- Create Files/Write Data +- Create Folders/Append Data These permissions settings are applied to this folder for app compatibility. However, because any user can create files in this location, allowing applications to be run from this location might conflict with your organization's security policy. ## In this section -| Topic | Description | -| - | - | -| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This topic describes the file formats and available default rules for the executable rule collection. | -| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This topic describes the file formats and available default rules for the Windows Installer rule collection.| -| [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.| -| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.| -| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.| - -## Related topics +| Article | Description | +| --- | --- | +| [Executable rules in AppLocker](executable-rules-in-applocker.md) | This article describes the file formats and available default rules for the executable rule collection. | +| [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) | This article describes the file formats and available default rules for the Windows Installer rule collection.| +| [Script rules in AppLocker](script-rules-in-applocker.md) | This article describes the file formats and available default rules for the script rule collection.| +| [DLL rules in AppLocker](dll-rules-in-applocker.md) | This article describes the file formats and available default rules for the DLL rule collection.| +| [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This article explains the AppLocker rule collection for packaged app installers and packaged apps.| + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) - [Create AppLocker default rules](create-applocker-default-rules.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 7a6eea342e..e97d2e0962 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -1,27 +1,25 @@ --- title: Understanding AppLocker rule behavior -description: This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. +description: This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker rule behavior ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. -This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. - -If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. +If no AppLocker rules exist for a specific rule collection, all files covered by that rule collection are allowed to run. However, once an AppLocker rule for a specific rule collection is created, only the files explicitly allowed by at least one rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run. Executable files run from any other path are blocked. A rule can be configured to use either an allow or deny action: -- **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -- **Deny**. You can specify which files aren't allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. +- **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. +- **Deny**. You can specify which files aren't allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. ->**Important:** You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path. - -## Related topics +> [!IMPORTANT] +> You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 3f9f5ad500..bd418d4ce7 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -1,33 +1,33 @@ --- title: Understanding AppLocker rule collections -description: This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. +description: This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker rule collections ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. +This article explains the five different types of AppLocker rule collections used to enforce AppLocker policies. An AppLocker rule collection is a set of rules that apply to one of five types: -- Executable files: .exe and .com -- Windows Installer files: .msi, mst, and .msp -- Scripts: .ps1, .bat, .cmd, .vbs, and .js -- DLLs: .dll and .ocx -- Packaged apps and packaged app installers: .appx +- Executable files: .exe and .com +- Windows Installer files: .msi, mst, and .msp +- Scripts: .ps1, .bat, .cmd, .vbs, and .js +- DLLs: .dll and .ocx +- Packaged apps and packaged app installers: .appx -If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. +> [!IMPORTANT] +> Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Be sure you create DLL allow rules for every DLL that is used by any of the allowed apps. Denying some DLLs from running can also create app compatibility problems. +> +> DLL rules might cause performance problems on some computers which are already resource constrained. +> +> As a result, the DLL rule collection is not enabled by default. ->**Important:** Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default. - For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). -## Related topics +## Related articles - [How AppLocker works](how-applocker-works-techref.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index bad3241ee2..2c4967a466 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -1,55 +1,46 @@ --- title: Understanding AppLocker rule condition types -description: This topic for the IT professional describes the three types of AppLocker rule conditions. +description: This article for the IT professional describes the three types of AppLocker rule conditions. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker rule condition types ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes the three types of AppLocker rule conditions. +This article for the IT professional describes the three types of AppLocker rule conditions. Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. -**Publisher** +## Publisher -To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). +To use a publisher condition, the software publisher must digitally sign their app files, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). -**Path** +## Path -Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). +Any file can be assigned this rule condition. However, because path rules specify locations within the file system, the rule also affects any subdirectories unless explicitly exempted. For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). -**File hash** +## File hash -Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is unique to that the version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). +Any file can be assigned this rule condition. However, the rule must be updated each time a new version of the file is released because the Authenticode hash value is unique for each version of the file. For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). -### Considerations +## Considerations Selecting the appropriate condition for each rule depends on the overall application control policy goals of the organization, the AppLocker rule maintenance goals, and the condition of the existing (or planned) application deployment. The following questions can help you decide which rule condition to use. -1. Is the file digitally signed by a software publisher? +1. Is the file digitally signed by a software publisher? - If the file is signed by a software publisher, we recommend that you create rules with publisher conditions. You may still create file hash and path conditions for signed files. However, if the file is not digitally signed by a software publisher, you can: + If the software publisher signed the file, we recommend that you create rules with publisher conditions. You can still create file hash and path conditions for signed files. However, if the software publisher didn't sign the file, you can: + + - Sign the file by using an internal certificate. + - Create a rule by using a file hash condition. + - Create a rule by using a path condition. - - Sign the file by using an internal certificate. - - Create a rule by using a file hash condition. - - Create a rule by using a path condition. - > [!NOTE] - > To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, - `Get-AppLockerFileInformation -Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory. - -2. What rule condition type does your organization prefer? - - If your organization is already using Software Restriction Policies (SRP) to restrict what files users can run, rules using file hash or path conditions are probably already in place. - - > [!NOTE] - > For a list of supported operating system versions and editions to which SRP and AppLocker rules can be applied, see [Requirements to use AppLocker](requirements-to-use-applocker.md). - -## Related topics + > To determine how many applications on a reference computer are digitally signed, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet for a directory of files. For example, `Get-AppLockerFileInformation -Directory C:\Windows\ -FileType EXE -recurse` displays the properties for all .exe and .com files within the Windows directory. + +2. What rule condition type does your organization prefer? + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 416310d176..2df99102d0 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -1,24 +1,23 @@ --- title: Understanding AppLocker rule exceptions -description: This topic describes the result of applying AppLocker rule exceptions to rule collections. +description: This article describes the result of applying AppLocker rule exceptions to rule collections. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding AppLocker rule exceptions ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + -This topic describes the result of applying AppLocker rule exceptions to rule collections. +This article describes the result of applying AppLocker rule exceptions to rule collections. -You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. +You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but doesn't allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception for the rule). The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks. -To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. +To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that blocks Registry Editor for all users, the deny rule overrides the second rule that allows the Helpdesk user group to run Registry Editor. -## Related topics +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 9c95ff5c19..9937009a5e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -1,26 +1,23 @@ --- title: Understanding the file hash rule condition in AppLocker -description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. +description: This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding the file hash rule condition in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article explains how to use the AppLocker file hash rule condition and its advantages and disadvantages. -This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. - -File hash rules use a system-computed cryptographic hash of the identified file. For files that aren't digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. +File hash rules use a system-computed Authenticode cryptographic hash of the identified file. For files that aren't digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. | File hash condition advantages | File hash condition disadvantages | -| - | - | -| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.| - -For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). +| --- | --- | +| Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's Authenticode hash changes. As a result, you must manually update file hash rules. | -## Related topics +For an overview of the three types of AppLocker rule conditions and their advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 4a28e77011..2d1d4b9cae 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -1,29 +1,26 @@ --- title: Understanding the path rule condition in AppLocker -description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. +description: This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding the path rule condition in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. +This article explains how to apply the AppLocker path rule condition and its advantages and disadvantages. The path condition identifies an application by its location in the file system of the computer or on the network. -When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition. +Path rules that use the deny action, are less effective than other types of rules, because a user (or malware acting as a user) can easily copy the file to a different location to run it. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by nonadministrators. For example, if you create a path rule using the allow action for C:\\, any file under that location can run, including file within users' profiles. The following table describes the advantages and disadvantages of the path condition. |Path condition advantages|Path condition disadvantages| -|--- |--- | -|

  • You can easily control many folders or a single file.
  • You can use the asterisk (*) as a wildcard character within path rules.|
  • It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.
  • You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.| +| --- | --- | +|
  • You can easily control many folders or a single file.
  • You can use the asterisk (*) as a wildcard character within path rules. |
  • It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by nonadministrators.
  • You must specify the full path to a file or folder when creating path rules so that the rule is properly enforced. | -AppLocker doesn't enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. +AppLocker doesn't enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule is properly enforced. -The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. +The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that the rule affects all files and subfolders within the Internet Explorer folder. AppLocker uses path variables for well-known directories in Windows. Path variables aren't environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. @@ -36,8 +33,8 @@ AppLocker uses path variables for well-known directories in Windows. Path variab | Removable media (for example, CD or DVD) | %REMOVABLE% | | | Removable storage device (for example, USB flash drive) | %HOT% | | -For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). +For an overview of the three types of AppLocker rule conditions and their advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). -## Related topics +## Related articles - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index a915c31c36..171ef6e3f1 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -1,63 +1,58 @@ --- title: Understanding the publisher rule condition in AppLocker -description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. +description: This article explains how to apply the AppLocker publisher rule condition and what controls are available. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Understanding the publisher rule condition in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +This article explains how to apply the AppLocker publisher rule condition and what controls are available. -This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. - -Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization. -Publisher conditions are easier to maintain than file hash conditions and are more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages -of the publisher condition. +Publisher conditions can be made only for files that are digitally signed. This condition identifies an app's file based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher can be a software development company, such as Microsoft, or the Information Technology department of your organization. Publisher conditions are easier to maintain than file hash conditions and are more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition. |Publisher condition advantages|Publisher condition disadvantages| -|--- |--- | -|
  • Frequent updating isn't required.
  • You can apply different values within a certificate.
  • A single rule can be used to allow an entire product suite.
  • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
  • The file must be signed.
  • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| - +| --- | --- | +|
  • Frequent updating isn't required.
  • You can apply different values within a certificate.
  • A single rule can be used to allow an entire product suite.
  • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
  • The file must be signed.
  • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| + Wildcard characters can be used as values in the publisher rule fields according to the following specifications: -- **Publisher** +- **Publisher** - The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name "\*x\*". A question mark (?) isn't a valid wildcard character in this field. + The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name "\*x\*." A question mark (?) isn't a valid wildcard character in this field. -- **Product name** +- **Product name** The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. A question mark (?) isn't a valid wildcard character in this field. -- **File name** +- **File name** - Either the asterisk (\*) or question mark (?) characters used by themselves represent any and all file names. When combined with any string value, the string is matched with any file name containing that string. + Either the asterisk (\*) or question mark (?) characters used by themselves represent any file names. When combined with any string value, the string is matched with any file name containing that string. -- **File version** +- **File version** The asterisk (\*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits: - - **Exactly**. The rule applies only to this version of the app - - **And above**. The rule applies to this version and all later versions. - - **And Below**. The rule applies to this version and all earlier versions. + - **Exactly**. The rule applies only to this version of the app + - **And above**. The rule applies to this version and all later versions. + - **And Below**. The rule applies to this version and all earlier versions. The following table describes how a publisher condition is applied. | Option | The publisher condition allows or denies...| -| - | - | -| **All signed files** | All files that are signed by a publisher.| -| **Publisher only** | All files that are signed by the named publisher.| -| **Publisher and product name** | All files for the specified product that are signed by the named publisher.| -| **Publisher, product name, and file name** | Any version of the named file for the named product that is signed by the publisher.| -| **Publisher, product name, file name, and file version** | **Exactly**
    The specified version of the named file for the named product that is signed by the publisher.| -| **Publisher, product name, file name, and file version** | **And above**
    The specified version of the named file and any new releases for the product that are signed by the publisher.| -| **Publisher, product name, file name, and file version**| **And below**
    The specified version of the named file and any older versions for the product that are signed by the publisher.| -| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.| - -For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). +| --- | --- | +| **All signed files** | All files signed by a publisher. | +| **Publisher only** | All files signed by the named publisher. | +| **Publisher and product name** | All files for the specified product signed by the named publisher. | +| **Publisher, product name, and file name** | Any version of the named file for the named product and signed by the publisher. | +| **Publisher, product name, file name, and file version** | **Exactly**
    The specified version of the named file for the named product signed by the publisher. | +| **Publisher, product name, file name, and file version** | **And above**
    The specified version of the named file and any later versions of the file for the named product signed by the publisher. | +| **Publisher, product name, file name, and file version**| **And below**
    The specified version of the named file and any older versions for the named product signed by the publisher. | +| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule. | -## Related topics +For an overview of the three types of AppLocker rule conditions and their advantages and disadvantages, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). + +## Related articles - [How AppLocker works](how-applocker-works-techref.md) From 6709193f62413df9c14cf0c4cadf373834a28fb5 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 24 Dec 2023 00:07:00 -0800 Subject: [PATCH 6/7] Reviewed AppLocker articles for accuracy and addressed Acrolinx and readability issues. --- ...blishing.redirection.windows-security.json | 5 ++ .../TOC.yml | 2 - .../applocker/applocker-settings.md | 30 -------- .../applocker/tools-to-use-with-applocker.md | 31 ++++---- .../using-event-viewer-with-applocker.md | 74 +++++++++---------- 5 files changed, 55 insertions(+), 87 deletions(-) delete mode 100644 windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index d666189bcf..6b215db613 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -4560,6 +4560,11 @@ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference", diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 10c18ae319..c2302c6e47 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -309,5 +309,3 @@ items: - name: Using Event Viewer with AppLocker href: applocker\using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker\applocker-settings.md diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md deleted file mode 100644 index 956c1904a8..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: AppLocker settings -description: This topic for the IT professional lists the settings used by AppLocker. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# AppLocker settings - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional lists the settings used by AppLocker. - -The following table describes the settings and values used by AppLocker. - -| Setting | Value | -| - | - | -| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** | -| Firewall ports | Not applicable | -| Security policies | Custom created, no default | -| Group Policy settings | Custom created, no default | -| Network ports | Not applicable | -| Service accounts | Not applicable | -| Performance counters | Not applicable | - -## Related topics - -- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index a683153f73..38354ddb98 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -1,50 +1,47 @@ --- title: Tools to use with AppLocker -description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. +description: This article for the IT professional describes the tools available to create and administer AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Tools to use with AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes the tools available to create and administer AppLocker policies. +This article for the IT professional describes the tools available to create and administer AppLocker policies. The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -- **AppLocker Local Security Policy MMC snap-in** +- **AppLocker Local Security Policy MMC snap-in** The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md). -- **Generate Default Rules tool** +- **Generate Default Rules tool** AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules). -- **Automatically Generate AppLocker Rules wizard** +- **Automatically Generate AppLocker Rules wizard** - By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). + By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard scans the specified folder and creates the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). -- **Group Policy** +- **Group Policy** You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). If you want more features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. -- **Remote Server Administration Tools (RSAT)** +- **Remote Server Administration Tools (RSAT)** You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies. -- **Event Viewer** +- **Event Viewer** - The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + The AppLocker log contains information about applications affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -- **AppLocker PowerShell cmdlets** +- **AppLocker PowerShell cmdlets** - The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/). + The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/). -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index f237a5b23c..19b2256345 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -3,17 +3,16 @@ title: Using Event Viewer with AppLocker description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 02/02/2023 +ms.date: 12/23/2023 --- + + # Using Event Viewer with AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - This article lists AppLocker events and describes how to use Event Viewer with AppLocker. -The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information: +The AppLocker log contains information about applications affected by AppLocker rules. Each event in the log contains details such as the following information: - Which file is affected and the path of that file - Which packaged app is affected and the package identifier of the app @@ -22,53 +21,52 @@ The AppLocker log contains information about applications that are affected by A - The rule name - The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to nonstandard locations, such as the root of the active drive (for example, `%SystemDrive%`). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). > [!NOTE] > The AppLocker event logs are very verbose and can result in a large number of events depending on the policies deployed, particularly in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether. -**To review the AppLocker log in Event Viewer** +## Review the AppLocker logs in Windows Event Viewer 1. Open Event Viewer. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**. -The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. +The following table contains information about the events that you can use to determine the apps affected by AppLocker rules. | Event ID | Level | Event message | Description | | --- | --- | --- | --- | -| 8000 | Error| AppID policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| -| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| -| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| -| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| -| 8008| Warning| *<File name> *: AppLocker component not available on this SKU.| Added in Windows Server 2012 and Windows 8.| -| 8020| Information| *<File name> * was allowed to run.| Added in Windows Server 2012 and Windows 8.| -| 8021| Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| -| 8022| Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| -| 8023 | Information| *<File name> * was allowed to be installed.| Added in Windows Server 2012 and Windows 8.| -| 8024 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| -| 8025 | Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| -| 8027 | Error| No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.| Added in Windows Server 2012 and Windows 8.| -| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| -| 8029 | Error | *<File name> * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| -| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| -| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10.| -| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| -| 8037 | Information | * passed Config CI policy and was allowed to run.| Added in Windows Server 2016 and Windows 10.| -| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.| -| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10.| -| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.| +| 8000 | Error | AppID policy conversion failed. Status * <%1> * | Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes. | +| 8001 | Information | The AppLocker policy was applied successfully to this computer. | Indicates that the AppLocker policy was successfully applied to the computer. | +| 8002 | Information | *<File name> * was allowed to run. | Indicates an AppLocker rule allowed the .exe or .dll file. | +| 8003 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Shown only when the **Audit only** enforcement mode is enabled. Indicates that the AppLocker policy would block the .exe or .dll file if the enforcement mode setting was **Enforce rules**. | +| 8004 | Error | *<File name> * was prevented from running. | AppLocker blocked the named EXE or DLL file. Shown only when the **Enforce rules** enforcement mode is enabled. | +| 8005| Information | *<File name> * was allowed to run. | Indicates an AppLocker rule allowed the script or .msi file. | +| 8006 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Shown only when the **Audit only** enforcement mode is enabled. Indicates that the AppLocker policy would block the script or .msi file if the **Enforce rules** enforcement mode was enabled. | +| 8007 | Error | *<File name> * was prevented from running. | AppLocker blocked the named Script or MSI. Shown only when the **Enforce rules** enforcement mode is enabled. | +| 8008| Warning | *<File name> *: AppLocker component not available on this SKU. | Indicates an edition of Windows that doesn't support AppLocker. | +| 8020| Information | *<File name> * was allowed to run. | Added in Windows Server 2012 and Windows 8. | +| 8021| Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. | +| 8022| Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. | +| 8023 | Information | *<File name> * was allowed to be installed. | Added in Windows Server 2012 and Windows 8. | +| 8024 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. | +| 8025 | Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. | +| 8027 | Error | No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. | Added in Windows Server 2012 and Windows 8. | +| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced. | Added in Windows Server 2016 and Windows 10. | +| 8029 | Error | *<File name> * was prevented from running due to Config CI policy. | Added in Windows Server 2016 and Windows 10. | +| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10. | +| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10. | +| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10. | +| 8037 | Information | * passed Config CI policy and was allowed to run. | Added in Windows Server 2016 and Windows 10. | +| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10. | +| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10. | +| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10. | - ## Related articles - [Tools to use with AppLocker](tools-to-use-with-applocker.md) From 411e328fa1a69c8655bc3260991e40c3c75d76ac Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sun, 24 Dec 2023 10:12:55 -0800 Subject: [PATCH 7/7] Final review of AppLocker topics --- .../applocker-policies-deployment-guide.md | 2 -- .../applocker-policies-design-guide.md | 2 +- .../applocker-technical-reference.md | 5 ++-- ...oy-the-applocker-policy-into-production.md | 2 +- ...p-policy-structure-and-rule-enforcement.md | 1 - .../document-your-applocker-rules.md | 5 ++-- ...stand-applocker-policy-design-decisions.md | 2 -- .../windows-installer-rules-in-applocker.md | 27 +++++++++---------- .../applocker/working-with-applocker-rules.md | 6 ++--- 9 files changed, 21 insertions(+), 31 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index c6e633f5be..cb437f92b7 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -21,7 +21,6 @@ The following are prerequisites or recommendations to deploying policies: - Document your application control policy deployment plan by addressing these tasks: - [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - - [Determine your application control objectives](determine-your-application-control-objectives.md) - [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) - [Select types of rules to create](select-types-of-rules-to-create.md) - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) @@ -33,6 +32,5 @@ The following are prerequisites or recommendations to deploying policies: | --- | --- | | [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment article for the IT professional describes the process for using AppLocker when deploying application control policies. | | [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment article for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. | -| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This article for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. | | [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview article for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. | | [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This article for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md index e5bcbe1663..0299b53b2a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -19,7 +19,7 @@ To understand if AppLocker is the correct application control solution for your | Article | Description | | --- | --- | | [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This article describes AppLocker design questions, possible answers, and other considerations when you plan a deployment of application control policies by using AppLocker. | -| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | +| [Determine your application control objectives](determine-your-application-control-objectives.md) | This article helps you with the decisions you need to make to determine what applications to control and how to control them using AppLocker. | | [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This article describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | | [Select the types of rules to create](select-types-of-rules-to-create.md) | This article lists resources you can use when selecting your application control policy rules by using AppLocker. | | [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview article describes the process to follow when you're planning to deploy AppLocker rules. | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md index 909445c4b9..0952a3d433 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -15,13 +15,12 @@ AppLocker lets you create rules to allow or deny apps from running based on info | Article | Description | | --- | --- | -| [What Is AppLocker?](what-is-applocker.md) | This article for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. | +| [What Is AppLocker?](what-is-applocker.md) | This article for the IT professional describes what AppLocker is. | | [Requirements to use AppLocker](requirements-to-use-applocker.md) | This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. | | [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This article for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. | | [How AppLocker works](how-applocker-works-techref.md) | This article for the IT professional provides links to articles about AppLocker architecture and components, processes and interactions, rules and policies. | | [AppLocker architecture and components](applocker-architecture-and-components.md) | This article for IT professional describes AppLocker's basic architecture and its major components. | | [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This article for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | -| [AppLocker functions](applocker-functions.md) | This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | +| [AppLocker functions](applocker-functions.md) | This article for the IT professional lists the functions and security levels for AppLocker. | | [Security considerations for AppLocker](security-considerations-for-applocker.md) | This article for the IT professional describes the security considerations you need to address when implementing AppLocker. | | [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This article for the IT professional describes the tools available to create and administer AppLocker policies. | -| [AppLocker Settings](applocker-settings.md) | This article for the IT professional lists the settings used by AppLocker. | diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 38a183679a..d2ef52adad 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -19,7 +19,7 @@ Before you deploy an AppLocker policy, you should determine: - For each business group, which applications to control and in what manner. For more info, see [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). - How to handle requests for application access. For info about what to consider when developing your support policies, see [Plan for AppLocker policy management](plan-for-applocker-policy-management.md). - How to manage events, including forwarding events. For info about event management in AppLocker, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -- Your GPO structure, including how to include policies generated by Software Restriction Policies and AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). +- Your GPO structure, including how to include AppLocker policies. For more info, see [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). For info about how AppLocker deployment is dependent on design decisions, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index a8e5878454..fb13e22d88 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -21,7 +21,6 @@ This overview article describes the process to follow when you're planning to de When determining how many Group Policy Objects (GPOs) to create for managing AppLocker policy in your organization, you should consider the following points: - Whether you're creating new GPOs or using existing GPOs -- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md index ce02f4d772..1d5ff7d78e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -10,9 +10,8 @@ ms.date: 12/22/2023 To complete this AppLocker planning document, you should first complete the following steps: -1. [Determine your application control objectives](determine-your-application-control-objectives.md) -2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) -3. [Select the types of rules to create](select-types-of-rules-to-create.md) +1. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) +2. [Select the types of rules to create](select-types-of-rules-to-create.md) Document the following items for each business group or organizational unit: diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 13d2116bc1..898b41da58 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -154,5 +154,3 @@ Designing application control policies based on an organizational structure that ## Record your findings The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document. - -- For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md). diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 9f51d9f474..e64e6e97ff 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -1,32 +1,29 @@ --- title: Windows Installer rules in AppLocker -description: This topic describes the file formats and available default rules for the Windows Installer rule collection. +description: This article describes the file formats and available default rules for the Windows Installer rule collection. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/24/2023 --- # Windows Installer rules in AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic describes the file formats and available default rules for the Windows Installer rule collection. +This article describes the file formats and available default rules for the Windows Installer rule collection. AppLocker defines Windows Installer rules to include only the following file formats: -- .msi -- .msp -- .mst +- .msi +- .msp +- .mst The purpose of this collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection. | Purpose | Name | User | Rule condition type | -| - | - | - | - | -| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| -| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| -| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*| - -## Related topics +| --- | --- | --- | --- | +| Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| +| Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| +| Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*| + +## Related articles - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md index fc51015576..e06ef57ede 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -35,10 +35,10 @@ The DLL rule collection isn't enabled by default. To learn how to enable the DLL ## Enforcement modes -AppLocker policies set an **enforcement mode** for each rule collection included in the policy. These enforcement modes are described in the following table. +AppLocker policies set an **enforcement mode** for each rule collection included in the policy. These enforcement modes are described in the following table. | Enforcement mode | Description | -| - | - | +| --- | --- | | **Not configured** | Despite the name, this enforcement mode **doesn't** mean the rules are ignored. On the contrary, if any rules exist in a rule collection that is "not configured", the rules **will be enforced** unless a policy with a higher precedence changes the enforcement mode to Audit only. Since this enforcement mode can be confusing for policy authors, you should avoid using this value in your AppLocker policies. Instead, you should choose explicitly between the remaining two options. | | **Enforce rules** | Rules are enforced. When a user runs an app affected by an AppLocker rule, the app binary is blocked. Info about the binary is added to the AppLocker event log. | | **Audit only** | Rules are audited but not enforced. When a user runs an app affected by an AppLocker rule, the app binary is allowed to run. However, the info about the binary is added to the AppLocker event log. The Audit-only enforcement mode helps you identify the apps affected by the policy before the policy is enforced. | @@ -76,7 +76,7 @@ The **File version** and **Package version** control whether a user can run a sp The following table describes how a publisher condition is applied. | Option | The publisher condition allows or denies... | -|---|---| +| --- | --- | | **All signed files** | All files signed by any publisher. | | **Publisher only** | All files signed by the named publisher. | | **Publisher and product name** | All files for the specified product signed by the named publisher. |